GHSA-qghg-v7xv-q98q

Source

https://github.com/advisories/GHSA-qghg-v7xv-q98q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-qghg-v7xv-q98q/GHSA-qghg-v7xv-q98q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qghg-v7xv-q98q

Aliases

CVE-2022-33910

Published

2022-06-25T00:00:52Z

Modified

2025-06-11T17:57:13.663329Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

MantisBT XSS through crafted SVG documents in file_download.php

Details

An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute.

Database specific

{
    "severity": "MODERATE",
    "nvd_published_at": "2022-06-24T17:15:00Z",
    "github_reviewed_at": "2025-06-11T17:29:39Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name: mantisbt/mantisbt
Purl: pkg:composer/mantisbt/mantisbt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.25.5

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.7.0

2.7.1

2.8.0

2.8.1

2.9.0

2.9.1

2.10.0

2.10.1

2.11.0

2.11.1

2.12.0

2.12.1

2.12.2

2.13.0

2.13.1

2.13.2

2.14.0

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.18.0

2.18.1

2.19.0

2.19.1

2.20.0

2.20.1

2.21.0

2.21.1

2.21.2

2.21.3

2.22.0

2.22.1

2.22.2

2.23.0

2.23.1

2.24.0

2.24.1

2.24.2

2.24.3

2.24.4

2.24.5

2.25.0

2.25.1

2.25.2

2.25.3

2.25.4