Iamsecurity

**Name of the Vulnerable Software and Affected Versions** MantisBT versions through 2.5.2 **Description** The issue arises when the 'admin' directory is not removed after installation, and the MySQL client has the local infile setting enabled. This allows an attacker to exploit MySQL's "connect file read" feature, potentially enabling remote access to files on the MantisBT server. **Recommendations** For MantisBT versions through 2.5.2, remove the 'admin' directory as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide to prevent exploitation. Additionally, consider disabling the local infile setting in the MySQL client configuration, such as by setting mysqli.allow local infile to 0 in php.ini, to minimize the risk of remote file access.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.3.12 MantisBT versions 2.x prior to 2.5.2 **Description** A security issue was found in the installation script of MantisBT, where certain variables, such as `$f database`, `$f db username`, and `$f admin username`, are not properly sanitized, allowing remote attackers to inject arbitrary JavaScript code. This issue is mitigated by the recommended practice of deleting the admin folder after installation and is also prevented by Content Security Policy (CSP). **Recommendations** For MantisBT versions prior to 1.3.12, update to version 1.3.12 or later. For MantisBT versions 2.x prior to 2.5.2, update to version 2.5.2 or later. As a temporary workaround, consider deleting the admin folder after installation to minimize the risk of exploitation.