CVE-2024-34081: Mantis Bug Tracker (MantisBT) vulnerable to cross-site scripting
Improper escaping of a custom field’s name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when:
- resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field
- viewing issues (view_all_bug_page.php) when the custom field is displayed as a column
- printing issues (print_all_bug_page.php) when the custom field is displayed as a column
References
Detect and mitigate CVE-2024-34081 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →