<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Composer/Mantisbt/Mantisbt (&lt;= 2.28.3) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/composer/mantisbt/mantisbt--2.28.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 18:31:26 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/composer/mantisbt/mantisbt--2.28.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>MantisBT Reflected XSS Vulnerabilities in admin/install.php (CVE-2026-52847)</title><link>https://feed.craftedsignal.io/briefs/2026-07-reflected-xss-mantisbt/</link><pubDate>Wed, 15 Jul 2026 18:31:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-reflected-xss-mantisbt/</guid><description>MantisBT versions 2.28.3 and earlier are vulnerable to six reflected XSS injection points in the `/admin/install.php` script, which attackers can exploit without authentication to perform credential phishing, open redirects, and UI manipulation due to an incomplete Content Security Policy.</description><content:encoded><![CDATA[<p>MantisBT versions 2.28.3 and earlier contain critical reflected Cross-Site Scripting (XSS) vulnerabilities, designated CVE-2026-52847, within the <code>/admin/install.php</code> script. There are six distinct injection points where user-supplied parameters are echoed directly into the HTML response without proper escaping via the <code>print_test_result()</code> function. This vulnerability requires no prior authentication, making it easily exploitable. While a Content Security Policy (CSP) with <code>script-src 'self'</code> prevents direct inline JavaScript execution, the absence of a <code>form-action</code> directive in the CSP allows attackers to bypass this protection. This CSP misconfiguration enables sophisticated exploitation techniques such as credential-phishing form injection and <code>&lt;meta&gt;</code>-based open redirects, posing a significant risk to administrators. The vulnerability can lead to credential theft, silent redirection to malicious sites, and deceptive UI manipulation for social engineering purposes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Reconnaissance</strong>: Attacker identifies a MantisBT instance with <code>/admin/install.php</code> accessible, potentially using OSINT or vulnerability scanning tools.</li>
<li><strong>Vulnerability Identification</strong>: Attacker confirms the presence of the reflected XSS vulnerability by sending crafted requests to <code>/admin/install.php</code> and observing unescaped input in the HTML response.</li>
<li><strong>Payload Crafting</strong>: Attacker crafts a malicious URL containing an XSS payload designed to either inject a fake login form or an HTML <code>&lt;meta&gt;</code> refresh tag for redirection.</li>
<li><strong>Social Engineering</strong>: Attacker sends the crafted malicious URL to a MantisBT administrator via email, instant message, or another communication vector (e.g., spearphishing).</li>
<li><strong>Victim Interaction</strong>: The administrator clicks on the malicious URL, loading the vulnerable <code>/admin/install.php</code> page in their browser.</li>
<li><strong>XSS Execution</strong>: The XSS payload in the URL executes, either rendering a fake login form that submits credentials to an attacker-controlled server or silently redirecting the user to a phishing or malware site.</li>
<li><strong>Credential Theft/Redirection</strong>: The administrator's credentials are harvested by the attacker or the user is redirected to a malicious destination, leading to further compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-52847 can lead to severe consequences for organizations using affected MantisBT versions. The primary observed impacts include credential phishing, where an attacker can craft a URL that displays a convincing, but fake, login form on the legitimate MantisBT admin page, capturing administrator credentials when submitted. Additionally, the vulnerability can be used for open redirects, silently steering victims to attacker-controlled phishing or malware distribution sites. UI manipulation via CSS injection is also possible, allowing attackers to hide legitimate content and overlay malicious HTML elements for social engineering. While specific victim counts are not provided, any administrator interacting with a crafted URL is at risk, potentially leading to full compromise of the MantisBT instance and broader network access.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-52847 immediately</strong> by upgrading MantisBT to a version patched by commits <code>0f32ceabadc745239754962df91a51d5d51e3fd7</code> or <code>f2191a0d8ce438bf74171d496cf721dae025a5c0</code>.</li>
<li><strong>Implement the recommended workaround</strong>: Remove the <code>/admin</code> directory from MantisBT instances if not actively used, as suggested in the MantisBT Admin Guide.</li>
<li><strong>Deploy the Sigma rule below</strong> to your SIEM to detect attempts to exploit the <code>/admin/install.php</code> path with XSS payloads.</li>
<li><strong>Enable comprehensive web server logging</strong> for the <code>webserver</code> category, capturing full URI paths and query parameters, to ensure the detection rule can identify malicious requests to <code>/admin/install.php</code>.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>xss</category><category>web-vulnerability</category><category>credential-theft</category><category>phishing</category><category>open-redirect</category></item></channel></rss>