CVE-2020-16266

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 2.24.2

Description A security issue was found that allows a remote attacker to inject arbitrary HTML into a page by saving it into a text Custom Field. This occurs due to improper escaping on the view all bug page.php page, potentially leading to code execution in the browser of any user viewing the issue, provided the Content Security Policy (CSP) settings permit it.

Recommendations For versions prior to 2.24.2, update to version 2.24.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the view all bug page.php page or custom fields to minimize the risk of exploitation.