CVE-2020-25830

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 2.24.3

Description An issue was discovered that allows an attacker to inject HTML and, if Content Security Policy (CSP) settings permit, achieve execution of arbitrary JavaScript when attempting to update a custom field via the bug actiongroup page.php endpoint. The issue is due to improper escaping of a custom field's name.

Recommendations For versions prior to 2.24.3, update to version 2.24.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the bug actiongroup page.php endpoint to minimize the risk of exploitation. Additionally, review and adjust CSP settings to prevent the execution of arbitrary JavaScript.