CVE-2020-25288

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 2.24.3

Description An issue was discovered that allows HTML injection and potentially the execution of arbitrary JavaScript when editing an issue in a project with a custom field that has a crafted regular expression property. This occurs due to improper escaping of the corresponding form input's pattern attribute.

Recommendations For versions prior to 2.24.3, update to version 2.24.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of custom fields with regular expression properties until the update is applied.