{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33548/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MantisBT"],"_cs_severities":["high"],"_cs_tags":["mantisbt","xss","html-injection","cve-2026-33548","webserver"],"_cs_type":"advisory","_cs_vendors":["MantisBT"],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability has been identified in MantisBT version 2.28.0. This flaw, tracked as CVE-2026-33548, stems from the improper handling of tag names retrieved from the history when displaying them in the timeline (my_view_page.php). Specifically, the application fails to adequately escape HTML entities within the tag names, allowing an attacker to inject malicious HTML code. If Content Security Policy (CSP) settings are permissive, this injected HTML can be leveraged to execute arbitrary JavaScript code within the context of a user's browser. This can lead to session hijacking, defacement, or other malicious activities. The vulnerability was discovered and responsibly reported by Vishal Shukla. Defenders should upgrade or implement workarounds.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker with appropriate privileges logs into a vulnerable MantisBT instance.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new tag with a malicious payload embedded in the tag name (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=alert(1)\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker associates the malicious tag with an issue.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the malicious tag, further storing the payload in the history.\u003c/li\u003e\n\u003cli\u003eA user views the issue's timeline on \u003ccode\u003emy_view_page.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application retrieves the tag name from the history without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe malicious HTML is rendered in the user's browser.\u003c/li\u003e\n\u003cli\u003eIf CSP allows, the injected JavaScript executes, leading to XSS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of other MantisBT users' browsers. This can lead to sensitive information disclosure, such as session cookies, which can then be used to hijack user accounts. The impact could also include defacement of the MantisBT interface or redirection of users to malicious websites. The vulnerability affects MantisBT 2.28.0 and requires immediate patching or mitigation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of MantisBT that includes the fix f32787c14d4518476fe7f05f992dbfe6eaccd815.\u003c/li\u003e\n\u003cli\u003eApply the suggested workaround by wrapping \u003ccode\u003e$this-\u0026gt;tag_name\u003c/code\u003e in a \u003ccode\u003estring_html_specialchars()\u003c/code\u003e call in \u003ccode\u003eIssueTagTimelineEvent::html()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;MantisBT Tag Based XSS Attempt\u0026quot; to detect potential exploitation attempts within web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003emy_view_page.php\u003c/code\u003e containing suspicious tag names with HTML entities as detected by the Sigma rule \u0026quot;MantisBT Suspicious Tag\u0026quot;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-mantisbt-xss/","summary":"A stored HTML injection vulnerability (CVE-2026-33548) exists in MantisBT version 2.28.0, allowing attackers to inject HTML and execute arbitrary JavaScript by manipulating tag names displayed in the timeline due to improper escaping.","title":"MantisBT Stored XSS Vulnerability via Tag Timeline Display","url":"https://feed.craftedsignal.io/briefs/2024-01-03-mantisbt-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33548","version":"https://jsonfeed.org/version/1.1"}