Atrol

**Name of the Vulnerable Software and Affected Versions** MantisBT version 1.2.14 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a version, related to deleting a version. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For MantisBT version 1.2.14, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the version deletion functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MantisBT version 1.2.13 **Description** A cross-site scripting (XSS) issue exists in the configuration report page, specifically in the adm config report.php file, allowing remote authenticated users to inject arbitrary web script or HTML via a project name. **Recommendations** For MantisBT version 1.2.13, consider restricting access to the configuration report page until a fix is available. As a temporary workaround, avoid using the project name field in the adm config report.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions 2.1.0 through 2.17.1 **Description** A cross-site scripting issue in the Manage Filters page allows remote attackers to inject arbitrary code through a crafted project name, provided access rights and CSP settings permit it. **Recommendations** For versions 2.1.0 through 2.17.1, update to a version that contains a fix for this issue to prevent arbitrary code injection. As a temporary workaround, consider restricting access to the Manage Filters page (manage filter page.php) to minimize the risk of exploitation. Avoid using crafted project names in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions 2.1.0 through 2.17.1 **Description** A cross-site scripting issue in the Edit Filter page allows remote attackers to inject arbitrary code through a crafted project name, provided access rights and CSP settings permit it. **Recommendations** For versions 2.1.0 through 2.17.1, update to a version that contains a fix for this issue to prevent arbitrary code injection. As a temporary workaround, consider restricting access to the manage filter edit page.php to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MantisBT Source Integration plugin versions prior to 1.5.9 MantisBT Source Integration plugin versions 2.x prior to 2.1.5 **Description** A cross-site scripting (XSS) issue in the Manage Repository and Changesets List pages allows execution of arbitrary code, if Content Security Policy (CSP) settings permit it, via `repo manage page.php` or `list.php`. **Recommendations** For MantisBT Source Integration plugin versions prior to 1.5.9, update to version 1.5.9 or later. For MantisBT Source Integration plugin versions 2.x prior to 2.1.5, update to version 2.1.5 or later.

**Name of the Vulnerable Software and Affected Versions** MantisBT version 1.2.12 **Description** The issue allows remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML. This can be achieved via a category name in the `summary print by category` function or a project name in the `summary print by project` function. **Recommendations** For MantisBT version 1.2.12, consider restricting access to the `summary print by category` and `summary print by project` functions until a patch is available. As a temporary workaround, limit the ability of users with manager or administrator permissions to inject arbitrary web script or HTML via category names or project names. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions 1.0.0 through 1.2.15 **Description** A cross-site scripting (XSS) issue exists, allowing remote authenticated users to inject arbitrary web script or HTML via a project name. This occurs in the account sponsor page.php file. **Recommendations** For versions 1.0.0 through 1.2.15, update to a version that contains a fix for this issue to prevent exploitation.