{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/composer/mantisbt/mantisbt--2.28.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["composer/mantisbt/mantisbt (\u003c= 2.28.3)"],"_cs_severities":["critical"],"_cs_tags":["xss","web-vulnerability","credential-theft","phishing","open-redirect"],"_cs_type":"advisory","_cs_vendors":["MantisBT"],"content_html":"\u003cp\u003eMantisBT versions 2.28.3 and earlier contain critical reflected Cross-Site Scripting (XSS) vulnerabilities, designated CVE-2026-52847, within the \u003ccode\u003e/admin/install.php\u003c/code\u003e script. There are six distinct injection points where user-supplied parameters are echoed directly into the HTML response without proper escaping via the \u003ccode\u003eprint_test_result()\u003c/code\u003e function. This vulnerability requires no prior authentication, making it easily exploitable. While a Content Security Policy (CSP) with \u003ccode\u003escript-src 'self'\u003c/code\u003e prevents direct inline JavaScript execution, the absence of a \u003ccode\u003eform-action\u003c/code\u003e directive in the CSP allows attackers to bypass this protection. This CSP misconfiguration enables sophisticated exploitation techniques such as credential-phishing form injection and \u003ccode\u003e\u0026lt;meta\u0026gt;\u003c/code\u003e-based open redirects, posing a significant risk to administrators. The vulnerability can lead to credential theft, silent redirection to malicious sites, and deceptive UI manipulation for social engineering purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Reconnaissance\u003c/strong\u003e: Attacker identifies a MantisBT instance with \u003ccode\u003e/admin/install.php\u003c/code\u003e accessible, potentially using OSINT or vulnerability scanning tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: Attacker confirms the presence of the reflected XSS vulnerability by sending crafted requests to \u003ccode\u003e/admin/install.php\u003c/code\u003e and observing unescaped input in the HTML response.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Crafting\u003c/strong\u003e: Attacker crafts a malicious URL containing an XSS payload designed to either inject a fake login form or an HTML \u003ccode\u003e\u0026lt;meta\u0026gt;\u003c/code\u003e refresh tag for redirection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSocial Engineering\u003c/strong\u003e: Attacker sends the crafted malicious URL to a MantisBT administrator via email, instant message, or another communication vector (e.g., spearphishing).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim Interaction\u003c/strong\u003e: The administrator clicks on the malicious URL, loading the vulnerable \u003ccode\u003e/admin/install.php\u003c/code\u003e page in their browser.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eXSS Execution\u003c/strong\u003e: The XSS payload in the URL executes, either rendering a fake login form that submits credentials to an attacker-controlled server or silently redirecting the user to a phishing or malware site.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft/Redirection\u003c/strong\u003e: The administrator's credentials are harvested by the attacker or the user is redirected to a malicious destination, leading to further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-52847 can lead to severe consequences for organizations using affected MantisBT versions. The primary observed impacts include credential phishing, where an attacker can craft a URL that displays a convincing, but fake, login form on the legitimate MantisBT admin page, capturing administrator credentials when submitted. Additionally, the vulnerability can be used for open redirects, silently steering victims to attacker-controlled phishing or malware distribution sites. UI manipulation via CSS injection is also possible, allowing attackers to hide legitimate content and overlay malicious HTML elements for social engineering. While specific victim counts are not provided, any administrator interacting with a crafted URL is at risk, potentially leading to full compromise of the MantisBT instance and broader network access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-52847 immediately\u003c/strong\u003e by upgrading MantisBT to a version patched by commits \u003ccode\u003e0f32ceabadc745239754962df91a51d5d51e3fd7\u003c/code\u003e or \u003ccode\u003ef2191a0d8ce438bf74171d496cf721dae025a5c0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement the recommended workaround\u003c/strong\u003e: Remove the \u003ccode\u003e/admin\u003c/code\u003e directory from MantisBT instances if not actively used, as suggested in the MantisBT Admin Guide.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule below\u003c/strong\u003e to your SIEM to detect attempts to exploit the \u003ccode\u003e/admin/install.php\u003c/code\u003e path with XSS payloads.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable comprehensive web server logging\u003c/strong\u003e for the \u003ccode\u003ewebserver\u003c/code\u003e category, capturing full URI paths and query parameters, to ensure the detection rule can identify malicious requests to \u003ccode\u003e/admin/install.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T18:31:26Z","date_published":"2026-07-15T18:31:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-reflected-xss-mantisbt/","summary":"MantisBT versions 2.28.3 and earlier are vulnerable to six reflected XSS injection points in the `/admin/install.php` script, which attackers can exploit without authentication to perform credential phishing, open redirects, and UI manipulation due to an incomplete Content Security Policy.","title":"MantisBT Reflected XSS Vulnerabilities in admin/install.php (CVE-2026-52847)","url":"https://feed.craftedsignal.io/briefs/2026-07-reflected-xss-mantisbt/"}],"language":"en","title":"CraftedSignal Threat Feed - Composer/Mantisbt/Mantisbt (\u003c= 2.28.3)","version":"https://jsonfeed.org/version/1.1"}