An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it).
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| mantisbt/mantisbt(Packagist) | 2.1.0 | 2.24.2 | N/A |
CVSS Metrics
