Feras Al-Kassar

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 2.25.2 **Description** The issue is related to a lack of protection of the web page structure in the manage custom field edit page.php component of the MantisBT bug tracking system. This allows a remote attacker to perform cross-site scripting attacks. The unescaped output of the `return` parameter enables an attacker to inject code into a hidden input field. **Recommendations** For versions prior to 2.25.2, update to version 2.25.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the manage custom field edit page.php component until a patch is available. Avoid using the `return` parameter in the affected component until the issue is resolved.