Описание
MantisBT allows cross-site scripting (XSS) via crafted filename
The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed.
Пакеты
mantisbt/mantisbt
< 2.21.2
2.21.2
Связанные уязвимости
The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed.
The Timeline feature in my_view_page.php in MantisBT through 2.21.1 ha ...