MantisBT Stored XSS Vulnerability via Tag Timeline Display
A stored HTML injection vulnerability (CVE-2026-33548) exists in MantisBT version 2.28.0, allowing attackers to inject HTML and execute arbitrary JavaScript by manipulating tag names displayed in the timeline due to improper escaping.
A stored cross-site scripting (XSS) vulnerability has been identified in MantisBT version 2.28.0. This flaw, tracked as CVE-2026-33548, stems from the improper handling of tag names retrieved from the history when displaying them in the timeline (my_view_page.php). Specifically, the application fails to adequately escape HTML entities within the tag names, allowing an attacker to inject malicious HTML code. If Content Security Policy (CSP) settings are permissive, this injected HTML can be leveraged to execute arbitrary JavaScript code within the context of a user's browser. This can lead to session hijacking, defacement, or other malicious activities. The vulnerability was discovered and responsibly reported by Vishal Shukla. Defenders should upgrade or implement workarounds.
Attack Chain
- An attacker with appropriate privileges logs into a vulnerable MantisBT instance.
- The attacker creates a new tag with a malicious payload embedded in the tag name (e.g.,
<img src=x onerror=alert(1)>). - The attacker associates the malicious tag with an issue.
- The attacker renames the malicious tag, further storing the payload in the history.
- A user views the issue's timeline on
my_view_page.php. - The application retrieves the tag name from the history without proper escaping.
- The malicious HTML is rendered in the user's browser.
- If CSP allows, the injected JavaScript executes, leading to XSS.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of other MantisBT users' browsers. This can lead to sensitive information disclosure, such as session cookies, which can then be used to hijack user accounts. The impact could also include defacement of the MantisBT interface or redirection of users to malicious websites. The vulnerability affects MantisBT 2.28.0 and requires immediate patching or mitigation.
Recommendation
- Upgrade to a patched version of MantisBT that includes the fix f32787c14d4518476fe7f05f992dbfe6eaccd815.
- Apply the suggested workaround by wrapping
$this->tag_namein astring_html_specialchars()call inIssueTagTimelineEvent::html(). - Deploy the Sigma rule "MantisBT Tag Based XSS Attempt" to detect potential exploitation attempts within web server logs.
- Monitor web server logs for requests to
my_view_page.phpcontaining suspicious tag names with HTML entities as detected by the Sigma rule "MantisBT Suspicious Tag".
Detection coverage 2
MantisBT Tag Based XSS Attempt
highDetects potential XSS attempts in MantisBT by identifying suspicious HTML tags within tag names in requests to my_view_page.php.
MantisBT Suspicious Tag
mediumDetects potential creation of suspicious tags with HTML entities.
Detection queries are available on the platform. Get full rules →