CVE-2018-14504

Name of the Vulnerable Software and Affected Versions MantisBT versions 2.x through 2.15.0

Description A cross-site scripting (XSS) issue was found in the Edit Filter page, allowing the execution of arbitrary code when displaying a filter with a crafted name, such as 'foobar" onclick="alert(1)"', if Content Security Policy (CSP) settings permit it.

Recommendations For MantisBT versions 2.x through 2.15.0, as a temporary workaround, consider restricting the use of the Edit Filter page until a patch is available. Avoid using crafted filter names in the affected page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.