A cross-site scripting (XSS) vulnerability in the Edit Filter page (managefilteredit page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name.