CVE-2019-15074

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 2.21.2

Description The issue concerns a stored cross-site scripting (XSS) vulnerability in the Timeline feature of the my view page.php file. This vulnerability allows for the execution of arbitrary code, provided that the Content Security Policy (CSP) settings permit it, after an attachment with a crafted filename is uploaded. The code is executed whenever the My View Page is displayed, affecting any user who has visibility to the issue.

Recommendations For versions prior to 2.21.2, update to version 2.21.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Timeline feature in my view page.php until a patch is available. Avoid uploading attachments with potentially crafted filenames to minimize the risk of exploitation.