GHSA-qgrr-f26j-87vf

Source

https://github.com/advisories/GHSA-qgrr-f26j-87vf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qgrr-f26j-87vf/GHSA-qgrr-f26j-87vf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qgrr-f26j-87vf

Aliases

CVE-2020-25288

Published

2022-05-24T17:29:50Z

Modified

2025-05-29T16:14:31.055257Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

MantisBT XXS where a Custom Field with a crafted Regular Expression property is used

Details

An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript.

Database specific

{
    "nvd_published_at": "2020-09-30T21:15:00Z",
    "github_reviewed_at": "2025-05-29T15:45:29Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name: mantisbt/mantisbt
Purl: pkg:composer/mantisbt/mantisbt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.23.0

Fixed

2.24.3

Affected versions

2.*

2.23.0

2.23.1

2.24.0

2.24.1

2.24.2