PT-2023-31360 · Mantisbt · Mantisbt Linkedcustomfields Plugin

Regad

Publicado

2023-12-11

Atualizado

2023-12-14

CVE-2023-49802

CVSS v3.1

6.7

Média

Vetor

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions MantisBT LinkedCustomFields plugin versions prior to 2.0.1

Description The issue allows cross-site scripting in the MantisBT LinkedCustomFields plugin, enabling Javascript execution when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one. This can be mitigated by utilizing MantisBT's default Content Security Policy, which blocks script execution.

Recommendations For versions prior to 2.0.1, update to version 2.0.1 to resolve the issue. As a temporary workaround, consider utilizing MantisBT's default Content Security Policy to block script execution.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2023-49802

GHSA-2F37-9XPX-5HHW

Produtos afetados

Mantisbt Linkedcustomfields Plugin

PT-2023-31360 · Mantisbt · Mantisbt Linkedcustomfields Plugin

CVE-2023-49802

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10