Mantis Bug Tracker Stored Cross-Site Scripting Vulnerability in Saved Filters

A stored cross-site scripting vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions 2.11.0 through 2.28.1. The issue arises from improper escaping of the owner's name in saved filters, allowing attackers to inject arbitrary HTML. This vulnerability is present on systems where the option to display real names is enabled. By default, only users with Manager access or higher can save filters publicly.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the filter.

Reproduction

To reproduce this vulnerability, first ensure that the MantisBT configuration option to show real names is enabled. Then, as a user with Manager access or higher, create a public filter and inject an HTML payload into the real name field. Once the filter is saved, the payload will be executed when the filter is viewed by others.

Remediation

Users can update to MantisBT version 2.28.2, where this vulnerability has been fixed. If an immediate update is not possible, the real name display can be disabled in the configuration, and the ability to store filters can be restricted.