GHSA-QJ6W-V29Q-4RGX

Vulnerability from github – Published: 2026-05-11 19:34 – Updated: 2026-05-11 19:34
VLAI?
Summary
MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values
Details

Improper escaping of a textarea custom field's contents in the Update Issue page (bug_update_page.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded.

Impact

Session theft leading to admin account takeover, full project data access.

  • Precondition: A textarea-type custom field must be configured for the project
  • Attacker: Authenticated user with bug report permission (low privilege)
  • Victim: Any user viewing the bug edit form, including administrators

Patches

  • 5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7

Workarounds

The default Content-Security Policy will block script execution.

References

  • https://mantisbt.org/bugs/view.php?id=37003
  • This is related to CVE-2024-34081.

Credits

Thanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it. - Thanks to Nozomu Sasaki (Paul) (@morimori-dev) - Tristan Madani (@TristanInSec) from Talence Security

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.28.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "mantisbt/mantisbt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.28.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T19:34:32Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Improper escaping of a textarea custom field\u0027s contents in the Update Issue page (bug_update_page.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded.\n\n### Impact\nSession theft leading to admin account takeover, full project data access.\n\n- Precondition: A textarea-type custom field must be configured for the project\n- Attacker: Authenticated user with bug report permission (low privilege)\n- Victim: Any user viewing the bug edit form, including administrators\n\n### Patches\n- 5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7\n\n### Workarounds\nThe default Content-Security Policy will block script execution.\n\n### References\n- https://mantisbt.org/bugs/view.php?id=37003\n- This is related to [CVE-2024-34081](https://github.com/advisories/GHSA-wgx7-jp56-65mq).\n\n### Credits\nThanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it.\n- Thanks to Nozomu Sasaki (Paul) (@morimori-dev)\n- Tristan Madani (@TristanInSec) from Talence Security",
  "id": "GHSA-qj6w-v29q-4rgx",
  "modified": "2026-05-11T19:34:32Z",
  "published": "2026-05-11T19:34:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mantisbt/mantisbt"
    },
    {
      "type": "WEB",
      "url": "https://mantisbt.org/bugs/view.php?id=37003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.