Etienne Landais

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.3.7 MantisBT versions 2.x prior to 2.2.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary JavaScript via the `action type` parameter in the bug change status page.php file. **Recommendations** For versions prior to 1.3.7, update to version 1.3.7 or later. For versions 2.x prior to 2.2.1, update to version 2.2.1 or later. As a temporary workaround, consider restricting access to the bug change status page.php file until a patch is available. Avoid using the `action type` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 2.2.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary JavaScript via the `view type` parameter in the "view filters page.php" file. **Recommendations** For versions prior to 2.2.1, update to version 2.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "view filters page.php" file or avoiding the use of the `view type` parameter until the issue is resolved.