An XSS issue was discovered in manageuserpage.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.
{
"cpe": [
"cpe:2.3:a:mantisbt:mantisbt:2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.3.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.5.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "2.1.0"
},
{
"last_affected": "2.1.0"
},
{
"introduced": "2.1.1"
},
{
"last_affected": "2.1.1"
},
{
"introduced": "2.1.2"
},
{
"last_affected": "2.1.2"
},
{
"introduced": "2.1.3"
},
{
"last_affected": "2.1.3"
},
{
"introduced": "2.2.0"
},
{
"last_affected": "2.2.0"
},
{
"introduced": "2.2.1"
},
{
"last_affected": "2.2.1"
},
{
"introduced": "2.2.2"
},
{
"last_affected": "2.2.2"
},
{
"introduced": "2.2.3"
},
{
"last_affected": "2.2.3"
},
{
"introduced": "2.2.4"
},
{
"last_affected": "2.2.4"
},
{
"introduced": "2.3.0"
},
{
"last_affected": "2.3.0"
},
{
"introduced": "2.3.1"
},
{
"last_affected": "2.3.1"
},
{
"introduced": "2.3.2"
},
{
"last_affected": "2.3.2"
},
{
"introduced": "2.3.3"
},
{
"last_affected": "2.3.3"
},
{
"introduced": "2.4.0"
},
{
"last_affected": "2.4.0"
},
{
"introduced": "2.4.1"
},
{
"last_affected": "2.4.1"
},
{
"introduced": "2.4.2"
},
{
"last_affected": "2.4.2"
},
{
"introduced": "2.5.0"
},
{
"last_affected": "2.5.0"
},
{
"introduced": "2.5.1"
},
{
"last_affected": "2.5.1"
}
],
"source": [
"CPE_STRING",
"REFERENCES"
]
}