CVE-2021-43257: MantisBT CSV Injection unprivileged user access in csv_export.php

April 15, 2022 (updated May 30, 2025)

Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.

References

github.com/advisories/GHSA-rg8f-5p7x-m6wv
github.com/mantisbt/mantisbt
github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e
github.com/mantisbt/mantisbt/commit/99eb8d41cbacc703f88807898dcc9ac55eec0f15
nvd.nist.gov/vuln/detail/CVE-2021-43257
www.mantisbt.org/bugs/view.php?id=29130

Code Behaviors & Features

Detect and mitigate CVE-2021-43257 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →