Описание
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
Ссылки
- PatchThird Party Advisory
- ExploitPatchVendor Advisory
- PatchThird Party Advisory
- ExploitPatchVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.24.3 (исключая)
cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*
EPSS
Процентиль: 69%
0.00596
Низкий
4.8 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 4.8
ubuntu
больше 5 лет назад
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVSS3: 4.8
debian
больше 5 лет назад
An issue was discovered in MantisBT before 2.24.3. Improper escaping o ...
EPSS
Процентиль: 69%
0.00596
Низкий
4.8 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79