MantisBT: Stored XSS in print_all_bug_page_word.php
A missing output encoding call in print_all_bug_page_word.php allows any authenticated user to inject arbitrary HTML into an IMG tag's *alt* attribute via an image attachment with a crafted filename such as probe." onload="alert(1).
When any user views the HTML export page (print_all_bug_page_word.php?type_page=html&export=1), the rendered IMG tag becomes ``, breaking out of the alt attribute.
Impact
Cross-site scripting.Impact is limited by MantisBT's Content Security Policy.
Patches
- https://github.com/mantisbt/mantisbt/commit/bdd0e364f62759de272dfd4c89b4f51d27be9daa
Workarounds
NoneResources
- https://mantisbt.org/bugs/view.php?id=37234