CVE-2020-25288: XSS
First published: Wed Sep 30 2020(Updated: )
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mantisbt Mantisbt | <2.24.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-25288.
What is the severity level of CVE-2020-25288?
The severity level of CVE-2020-25288 is medium.
What is the affected software for CVE-2020-25288?
The affected software for CVE-2020-25288 is MantisBT before version 2.24.3.
How can this vulnerability be exploited?
This vulnerability can be exploited through HTML injection and potential execution of arbitrary code if CSP settings permit.
Is there a fix available for CVE-2020-25288?
Yes, the fix for CVE-2020-25288 can be found in MantisBT version 2.24.3.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/description
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/mantisbt
- canonical/mantisbt mantisbt