Mantis Bug Tracker Stored Cross-Site Scripting Vulnerability in Custom Textarea Fields

A stored cross-site scripting vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions 2.28.1 and earlier. The issue arises from improper escaping of textarea custom field contents on the Update Issue page, allowing an authenticated user with bug report permission to inject HTML. If the Content Security Policy (CSP) settings permit, this injected HTML could be used to execute arbitrary JavaScript when the page is loaded. The vulnerability could lead to session theft, allowing an attacker to take over an admin account and gain full access to project data. This issue affects any user viewing the bug edit form, including administrators.

Impact

Exploitation of this vulnerability could result in session theft, allowing an attacker to take over an admin account and gain full access to project data.

Remediation

Users can upgrade to MantisBT version 2.28.2, where this vulnerability has been patched. If an immediate upgrade is not possible, the issue can be mitigated by using the default Content-Security Policy, which blocks script execution.