CVE-2020-8981

Name of the Vulnerable Software and Affected Versions MantisBT Source Integration plugin versions prior to 1.6.2 MantisBT Source Integration plugin versions 2.x prior to 2.3.1

Description A cross-site scripting (XSS) issue was found, allowing the execution of arbitrary code via a repo name on the repo delete.php Delete Repository page, provided that Content Security Policy (CSP) settings permit it.

Recommendations For versions prior to 1.6.2, update to version 1.6.2 or later. For versions 2.x prior to 2.3.1, update to version 2.3.1 or later. As a temporary workaround, consider restricting access to the repo delete.php page until a patch is available.