CVE-2014-9272

Name of the Vulnerable Software and Affected Versions MantisBT versions 1.2.0a1 through 1.2.x before 1.2.18

Description The issue concerns a function that does not properly validate the URL protocol, allowing remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. This could potentially lead to malicious scripts being executed on user systems.

Recommendations For MantisBT versions 1.2.0a1 through 1.2.x before 1.2.18, update to version 1.2.18 or later to resolve the issue. As a temporary workaround, consider restricting the use of the string insert href function until a patch is available.