GHSA-h2wf-967x-gxvwHigh

MantisBT: Stored XSS in print_all_bug_page_word.php

Published
July 15, 2026
Last Modified
July 15, 2026

🔗 CVE IDs covered (1)

📋 Description

A missing output encoding call in print_all_bug_page_word.php allows any authenticated user to inject arbitrary HTML into an IMG tag's alt attribute via an image attachment with a crafted filename such as probe." onload="alert(1).

When any user views the HTML export page (print_all_bug_page_word.php?type_page=html&export=1), the rendered IMG tag becomes <img src="..." alt="" onload="alert(1)" />, breaking out of the alt attribute.

Impact

Cross-site scripting.

Impact is limited by MantisBT's Content Security Policy.

Patches

  • https://github.com/mantisbt/mantisbt/commit/bdd0e364f62759de272dfd4c89b4f51d27be9daa

Workarounds

None

Resources

  • https://mantisbt.org/bugs/view.php?id=37234

Credits

MantisBT thanks the Dracosec Research Limited team (Chris Chan, Krecendo Hui, William Lam) for discovering and responsibly reporting the issue.

🎯 Affected products1

  • composer/mantisbt/mantisbt:<= 2.28.3

🔗 References (4)