CVE-2020-25830: MantisBT HTML Injection vulnerability

May 24, 2022 (updated May 7, 2024)

An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field’s name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.

References

github.com/advisories/GHSA-2pm7-q8pc-xhvq
github.com/mantisbt/mantisbt
mantisbt.org/bugs/view.php?id=27304
nvd.nist.gov/vuln/detail/CVE-2020-25830

Code Behaviors & Features

Detect and mitigate CVE-2020-25830 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →