Roland Becker

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 2.21.3 **Description** The issue affects the Project Documentation feature, specifically the proj doc edit page.php file, allowing for a stored cross-site scripting (XSS) attack. This occurs when an attachment with a specially crafted filename is uploaded. The arbitrary code is executed when the document's page is edited, provided the Content Security Policy (CSP) settings permit it. **Recommendations** For versions prior to 2.21.3, update to version 2.21.3 or later to resolve the issue. As a temporary workaround, consider restricting the upload of attachments to trusted users only, and avoid editing documents that may contain malicious filenames until the update is applied.

**Name of the Vulnerable Software and Affected Versions** MantisBT version 1.2.13 **Description** A cross-site scripting (XSS) issue exists in the configuration report page, specifically in the adm config report.php file, allowing remote authenticated users to inject arbitrary web script or HTML via a project name. **Recommendations** For MantisBT version 1.2.13, consider restricting access to the configuration report page until a fix is available. As a temporary workaround, avoid using the project name field in the adm config report.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions 2.1.0 through 2.17.1 **Description** A cross-site scripting issue in the Manage Filters page allows remote attackers to inject arbitrary code through a crafted project name, provided access rights and CSP settings permit it. **Recommendations** For versions 2.1.0 through 2.17.1, update to a version that contains a fix for this issue to prevent arbitrary code injection. As a temporary workaround, consider restricting access to the Manage Filters page (manage filter page.php) to minimize the risk of exploitation. Avoid using crafted project names in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions 2.1.0 through 2.17.1 **Description** A cross-site scripting issue in the Edit Filter page allows remote attackers to inject arbitrary code through a crafted project name, provided access rights and CSP settings permit it. **Recommendations** For versions 2.1.0 through 2.17.1, update to a version that contains a fix for this issue to prevent arbitrary code injection. As a temporary workaround, consider restricting access to the manage filter edit page.php to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MantisBT version 1.2.12 **Description** The issue allows remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML. This can be achieved via a category name in the `summary print by category` function or a project name in the `summary print by project` function. **Recommendations** For MantisBT version 1.2.12, consider restricting access to the `summary print by category` and `summary print by project` functions until a patch is available. As a temporary workaround, limit the ability of users with manager or administrator permissions to inject arbitrary web script or HTML via category names or project names. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.2.11 **Description** The issue allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments due to a lack of permission check for delete attachments threshold when form security validation is set to OFF. **Recommendations** For versions prior to 1.2.11, update to version 1.2.11 or later to resolve the issue. As a temporary workaround, consider setting form security validation to ON to minimize the risk of exploitation. Restrict access to attachment deletion functionality to minimize the risk of unauthorized attachment deletion.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.2.11 **Description** The issue concerns a problem with privilege checking in the `mc issue note update` function within the SOAP API. This allows remote attackers who have bug reporting privileges to edit arbitrary bugnotes by sending a SOAP request. **Recommendations** For versions prior to 1.2.11, update to version 1.2.11 or later to resolve the issue.