CVE-2022-26144

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 2.25.3

Description An issue was discovered in MantisBT, where improper escaping of a Plugin name allows execution of arbitrary code in manage plugin page.php and manage plugin uninstall.php when a crafted plugin is installed, provided that the Content Security Policy (CSP) allows it.

Recommendations For versions prior to 2.25.3, update to version 2.25.3 or later to resolve the issue. As a temporary workaround, consider restricting the installation of plugins to trusted sources until a patch is applied.