Listen to this Post
The vulnerability exists because the MantisBT `bug_update_page.php` script improperly escapes the contents of user-supplied data destined for textarea-type custom fields. When an authenticated attacker with bug reporting permissions enters specially crafted HTML or JavaScript into such a field, the server stores the unsanitized payload. The `bug_update_page.php` script then processes and echoes the stored textarea value back into the victim’s web browser without proper escaping of HTML special characters. Without a Content Security Policy (CSP) that blocks unsafe-inline script execution, the injected JavaScript runs in the context of the victim’s session, allowing the attacker to hijack the session, steal administrator credentials, and gain full access to project data.
DailyCVE Form:
Platform: MantisBT
Version: ≤ 2.28.1
Vulnerability : Stored XSS
Severity: Medium
date: 2026-05-11
Prediction: 2026-05-11
What Undercode Say:
Analytics reveal that while the default MantisBT CSP blocks script execution, administrators often customise or weaken these policies during deployment, leading to increased real-world risk. The flaw’s stored nature and prerequisite (textarea field needed) keep exploit complexity moderate, but successful attacks can be devastating. The quick patch turnaround within a known branch indicates solid security response, but organisations reliant on older MantisBT versions remain exposed.
Exploit:
Simulated authenticated POST to update a bug with XSS payload curl -X POST https://target-mantis.example/bug_update.php \ -H "Cookie: MANTIS_secure_session=..." \ -d "bug_id=123&custom_field_X=PAYLOAD&... " \ --data-raw 'custom_field_42=<img src=x onerror=alert(1)>'
Protection from this CVE:
- Apply the official commit `5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7` or upgrade to MantisBT `2.28.2` immediately.
- If patching is not possible, enforce a strict Content Security Policy (CSP) that disables `unsafe-inline` for script directives.
- Review project configurations and remove any unnecessary textarea-type custom fields unless absolutely required for business operations.
Impact:
- Session Theft: Attackers can impersonate any victim, including administrators, leading to complete system compromise.
- Full Data Access: All project data, issues, and configuration details become readable and modifiable, leading to data theft and integrity loss.
- Reputational Damage: Successful exploitation may lead to unavailability or defacement of the issue tracker.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

