Описание
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript.
Ссылки
- PatchThird Party Advisory
- ExploitPatchVendor Advisory
- PatchThird Party Advisory
- ExploitPatchVendor Advisory
Уязвимые конфигурации
EPSS
4.8 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
Связанные уязвимости
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript.
An issue was discovered in MantisBT before 2.24.3. When editing an Iss ...
MantisBT XXS where a Custom Field with a crafted Regular Expression property is used
EPSS
4.8 Medium
CVSS3
3.5 Low
CVSS2