Listen to this Post
The vulnerability lies in MantisBT’s tag update page, which after processing a request redirects the user back to a previous page. The target URL for this redirect is taken directly from the HTTP `Referer` header without first being properly escaped or validated. An attacker can place arbitrary HTML—including script tags—into the `Referer` header. When the application builds the 302 redirect response, it writes this unsanitized content into the `Location` header and also embeds it in the HTML body of an intermediate “redirecting” page. Modern browsers URL-encode special characters when following a redirect, which normally blocks direct script execution. However, on server configurations that perform aggressive page caching (e.g., caching the redirect response itself), the injected HTML can be stored in the cache. A subsequent victim who requests that same cached page will receive the attacker’s injected HTML, allowing the script to execute in the victim’s browser context. This poisoning enables reflected XSS, where the payload is delivered not by a direct request but via a cached, previously poisoned response.
DailyCVE Form
Platform: MantisBT
Version: 2.28.0
Vulnerability: Reflected XSS
Severity: Moderate
Date: 2026-05-09
Prediction: 2026-05-11
What Undercode Say:
Check if vulnerable code exists (tag_update_page.php) grep -n "HTTP_REFERER" tag_update_page.php | grep "echo|print" Simulate malicious Referer header injection curl -i -X POST https://target.com/tag_update_page.php -H "Referer: http://test.com/"><script>alert(1)</script>" Apply security patch (commit b1ebc57) git clone https://github.com/mantisbt/mantisbt.git cd mantisbt && git checkout b1ebc57763f104eb5f541b7b4d1ce6948168abd9
Exploit:
Attacker crafts a URL or form submission to the tag update page with a `Referer` header containing HTML: Ref:"><script>alert(1)</script>. The application reflects that string into the redirect response. If the response is cached, any user hitting that cached page runs the script.
Protection from this CVE:
Patch to commit `b1ebc57763f104eb5f541b7b4d1ce6948168abd9` or update to MantisBT v2.28.1. If applying the patch, ensure that all output derived from the `Referer` header is passed through `htmlspecialchars()` before being written to the HTTP body or headers.
Impact:
Cache‑poisoned XSS can lead to session hijacking, theft of sensitive data, or complete account takeover (especially if the victim is an admin). The attack does not require user interaction beyond a previously cached malicious response.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

