Listen to this Post
The vulnerability resides in the `return_dynamic_filters.php` file. When a user provides a `filter_target` GET parameter (normally used to load custom fields via AJAX on the “View Issues” page), the code does not validate or sanitize the input. Specifically, the function extracts a numeric ID from a string starting with custom_field_. However, if an attacker injects arbitrary HTML into this ID, the value is passed unsanitized to the `print_filter_custom_field()` function. Inside print_filter_custom_field(), for a textarea custom field, the attacker-controlled value is reflected back directly into the HTML output as part of the `
dailycve form
Platform: MantisBT
Version: before 2.28.2
Vulnerability : Reflected XSS
Severity: Medium
date: May 11,2026
Prediction: Patch expected 2026-05-11
What Undercode Say:
Show the following bash commands with proper citation:
Basic curl test to detect vulnerable parameter
curl -k "http://target/mantis/return_dynamic_filters.php?filter_target=<XSS_PAYLOAD>"
Example of malicious filter_target: custom_field_1" onmouseover="alert('XSS')
curl -k "http://target/mantis/return_dynamic_filters.php?filter_target=custom_field_1%22%20onmouseover=%22alert(%27XSS%27)"
Check current MantisBT version
grep -i "version" /var/www/html/mantisbt/config_inc.php
Exploit automation (requires authentication)
python3 poc.py
Exploit:
The exploit requires low-privilege reporter access. Steps: create a custom textarea field, link it to a project, and use the malicious `filter_target` parameter [13†L70-L78].
Protection:
Upgrade to MantisBT version 2.28.2 or later. The patch sanitizes the parameter using `htmlspecialchars()` before output [11†L9-L11].
Impact:
Attacker can inject arbitrary HTML/JavaScript. This leads to session hijacking, credential theft, or internal network scans. HTML injection also triggers PHP errors revealing sensitive server paths [13†L64-L66].
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

