CVE-2022-33910

Опубликовано: 24 июн. 2022

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute.

Ссылки

https://mantisbt.org/blog/archives/mantisbt/719
Release Notes
Vendor Advisory
https://mantisbt.org/bugs/view.php?id=29135
Exploit
Issue Tracking
Vendor Advisory
https://mantisbt.org/bugs/view.php?id=30384
Exploit
Issue Tracking
Vendor Advisory
https://mantisbt.org/blog/archives/mantisbt/719
Release Notes
Vendor Advisory
https://mantisbt.org/bugs/view.php?id=29135
Exploit
Issue Tracking
Vendor Advisory
https://mantisbt.org/bugs/view.php?id=30384
Exploit
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*

Версия до 2.25.5 (исключая)

EPSS

Процентиль: 48%

0.00251

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2022-33910

CVSS3: 5.4

debian

больше 3 лет назад

An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers ...

GHSA-qghg-v7xv-q98q

CVSS3: 5.4

github

больше 3 лет назад

MantisBT XSS through crafted SVG documents in file_download.php

EPSS

Процентиль: 48%

0.00251

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79