CVE-2022-28508: MantisBT vulnerable to XSS via unescaped output in browser_search_plugin.php

May 5, 2022 (updated June 9, 2025)

An XSS issue was discovered in browser_search_plugin.php in MantisBT up to and including 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.

References

github.com/YavuzSahbaz/CVE-2022-28508/blob/main/MantisBT%202.25.2%20XSS%20vulnurability
github.com/advisories/GHSA-wfg2-2wmw-6894
github.com/mantisbt/mantisbt
mantisbt.org/
nvd.nist.gov/vuln/detail/CVE-2022-28508
sourceforge.net/projects/mantisbt

Code Behaviors & Features

Detect and mitigate CVE-2022-28508 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →