Mantis Bug Tracker Reflected Cross-Site Scripting Vulnerability in Custom Textarea Fields

A reflected cross-site scripting vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions 1.0.0 through 2.28.1. The issue arises in the 'return_dynamic_filters.php' file, where the 'filter_target' parameter is not properly validated. This lack of validation allows an attacker to inject arbitrary HTML into TEXTAREA custom fields. The vulnerability is exploitable when the 'filter_target' parameter is crafted to include a custom field ID that is not validated or sanitized, leading to HTML injection that can be executed in the context of the user.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the user's browser.

Reproduction

To reproduce this vulnerability, create a custom textarea field in MantisBT and link it to a project. Then, send a request to 'return_dynamic_filters.php' with a 'filter_target' parameter that includes the ID of the custom field, along with injected HTML. The injected HTML will be executed as a script in the user's browser.

Remediation

Users can upgrade to MantisBT version 2.28.2, where this vulnerability has been fixed.