Listen to this Post
How the mentioned CVE works:
The vulnerability exists in `bug_report_page.php` when cloning an issue from a different Project. The clone form prepends the source Project’s name before the category selector without HTML escaping. An attacker with manager or administrator privileges can set a Project name containing malicious HTML/JavaScript. When a victim (e.g., a reporter or developer) clones an issue from that attacker-controlled Project, the unescaped Project name is injected directly into the page DOM. This enables stored Cross-site Scripting (XSS) because the injected code executes in the victim’s browser context. The attack requires the attacker to have elevated access to modify Project names, which reduces the risk but does not eliminate it. The injected payload can steal session cookies, perform actions on behalf of the victim, or redirect to malicious sites. The vulnerability is triggered only during the clone operation, specifically when the clone form is rendered. The payload persists in the page until the victim navigates away. Content Security Policy (CSP) mitigates script execution if properly configured, but without CSP or with a weak policy, the XSS is fully exploitable. The patch introduces proper escaping of the Project name before output. The fix was applied in commit df22697ae497ddd93f3d9132fdf4979db8d081cd. Workarounds include sanitizing Project names to remove HTML tags or restricting manager-level access to trusted users only.
dailycve form:
Platform: MantisBT
Version: Affected versions prior to patch
Vulnerability: Stored XSS
Severity: Medium
date: Not specified (use patch commit date)
Prediction: Patch already available (2025-05-11)
Analytics under What Undercode Say:
Check if Project name contains HTML tags using grep
mysql -u mantis_user -p -e "SELECT name FROM mantis_project_table WHERE name REGEXP '<[^>]>';"
Simulate injection payload
curl -X POST -d "project_name=<script>alert('XSS')</script>" \
-H "Cookie: mantis_session=..." \
https://mantis.example.com/manage_project_page.php
Verify patch applied
git log --oneline | grep df22697ae497ddd93f3d9132fdf4979db8d081cd
Exploit:
1. Gain manager or admin access to MantisBT.
- Create or rename a Project to
<img src=x onerror=alert(document.cookie)>. - Trigger clone of any issue from that Project to another Project.
- Victim visits the clone form (bug_report_page.php) – injected script executes.
Protection from this CVE:
- Apply commit `df22697ae497ddd93f3d9132fdf4979db8d081cd` or upgrade to patched version.
- Enforce Content Security Policy with
script-src 'self'. - Strip HTML tags from Project names using `strip_tags()` or input validation.
- Restrict manager/administrator privileges to absolutely trusted users.
- Use Web Application Firewall (WAF) rules to block HTML in Project name fields.
Impact:
- Unauthenticated attackers cannot exploit directly (requires manager/admin).
- Stored XSS can lead to session hijacking, CSRF bypass, data theft, and defacement.
- Limited by CSP if enforced; otherwise full browser context compromise.
- Affects all users who clone issues from a poisoned Project.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

