MantisBT, Stored XSS, CVE-NOT-PROVIDED (High)

Listen to this Post

The vulnerability exists because the MantisBT “Move Attachments” admin page fails to escape the project name when rendering it. An attacker with manager or administrator access (or anyone able to set the project name) can inject malicious HTML or JavaScript into the project name field. When an admin later visits the Move Attachments page (e.g., /manage_proj_move_attachments.php), the unsanitized project name is reflected in the page context. For example, setting a project name to `` will execute the JavaScript when the page loads. The injection is stored in the database, making it a persistent (stored) XSS. The attack does not require user interaction beyond the admin viewing the page. The malicious payload can steal session cookies, perform internal port scanning, or redirect to phishing sites. MantisBT’s Content Security Policy (CSP) may block inline script execution, but CSP is only a mitigation; if the policy is misconfigured or lacks `script-src ‘unsafe-inline’` restrictions, the XSS still triggers. The attacker needs only “manager” role or above, which limits the attack surface but is still critical for high-privilege accounts. The root cause is missing output encoding via `htmlspecialchars()` or similar when displaying the project name on the admin page. The issue was introduced in an unknown earlier version and fixed in the latest commit (as of May 11, 2026). No workarounds are available besides upgrading.

dailycve form:

Platform: MantisBT
Version: Affected unknown
Vulnerability: Stored XSS
Severity: High
date: 2026-05-11

Prediction: 2026-05-18

What Undercode Say:

Analytics:

Grep for unescaped project name in Move Attachments
grep -r "project_name" /path/to/mantisbt/manage_proj_move_attachments.php
Simulate payload injection via API
curl -X POST -d "project_name=<img src=x onerror=alert(1)>" \
-H "Cookie: mantis_session=..." \
http://target/mantisbt/manage_proj_edit_page.php

Exploit:

Attacker sets project name to `”>` then triggers admin view of /manage_proj_move_attachments.php?project_id=XYZ.

Protection from this CVE:

Apply patch from GitHub advisory (commit hash unknown). If unavailable, manually escape output: `echo htmlspecialchars($project_name, ENT_QUOTES, ‘UTF-8’);` in move attachments page.

Impact:

Cross-site scripting allows session hijacking, defacement, or arbitrary actions performed in admin context, though CSP may limit script execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top