Product
MantisBT versions 2.28.3 and earlier are vulnerable to six reflected XSS injection points in the `/admin/install.php` script, which attackers can exploit without authentication to perform credential phishing, open redirects, and UI manipulation due to an incomplete Content Security Policy.