CVE-2013-1810

Name of the Vulnerable Software and Affected Versions MantisBT version 1.2.12

Description The issue allows remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML. This can be achieved via a category name in the summary print by category function or a project name in the summary print by project function.

Recommendations For MantisBT version 1.2.12, consider restricting access to the summary print by category and summary print by project functions until a patch is available. As a temporary workaround, limit the ability of users with manager or administrator permissions to inject arbitrary web script or HTML via category names or project names. At the moment, there is no information about a newer version that contains a fix for this vulnerability.