<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33548 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33548/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33548/feed.xml" rel="self" type="application/rss+xml"/><item><title>MantisBT Stored XSS Vulnerability via Tag Timeline Display</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-mantisbt-xss/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-mantisbt-xss/</guid><description>A stored HTML injection vulnerability (CVE-2026-33548) exists in MantisBT version 2.28.0, allowing attackers to inject HTML and execute arbitrary JavaScript by manipulating tag names displayed in the timeline due to improper escaping.</description><content:encoded><![CDATA[<p>A stored cross-site scripting (XSS) vulnerability has been identified in MantisBT version 2.28.0. This flaw, tracked as CVE-2026-33548, stems from the improper handling of tag names retrieved from the history when displaying them in the timeline (my_view_page.php). Specifically, the application fails to adequately escape HTML entities within the tag names, allowing an attacker to inject malicious HTML code. If Content Security Policy (CSP) settings are permissive, this injected HTML can be leveraged to execute arbitrary JavaScript code within the context of a user's browser. This can lead to session hijacking, defacement, or other malicious activities. The vulnerability was discovered and responsibly reported by Vishal Shukla. Defenders should upgrade or implement workarounds.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker with appropriate privileges logs into a vulnerable MantisBT instance.</li>
<li>The attacker creates a new tag with a malicious payload embedded in the tag name (e.g., <code>&lt;img src=x onerror=alert(1)&gt;</code>).</li>
<li>The attacker associates the malicious tag with an issue.</li>
<li>The attacker renames the malicious tag, further storing the payload in the history.</li>
<li>A user views the issue's timeline on <code>my_view_page.php</code>.</li>
<li>The application retrieves the tag name from the history without proper escaping.</li>
<li>The malicious HTML is rendered in the user's browser.</li>
<li>If CSP allows, the injected JavaScript executes, leading to XSS.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of other MantisBT users' browsers. This can lead to sensitive information disclosure, such as session cookies, which can then be used to hijack user accounts. The impact could also include defacement of the MantisBT interface or redirection of users to malicious websites. The vulnerability affects MantisBT 2.28.0 and requires immediate patching or mitigation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to a patched version of MantisBT that includes the fix f32787c14d4518476fe7f05f992dbfe6eaccd815.</li>
<li>Apply the suggested workaround by wrapping <code>$this-&gt;tag_name</code> in a <code>string_html_specialchars()</code> call in <code>IssueTagTimelineEvent::html()</code>.</li>
<li>Deploy the Sigma rule &quot;MantisBT Tag Based XSS Attempt&quot; to detect potential exploitation attempts within web server logs.</li>
<li>Monitor web server logs for requests to <code>my_view_page.php</code> containing suspicious tag names with HTML entities as detected by the Sigma rule &quot;MantisBT Suspicious Tag&quot;.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>mantisbt</category><category>xss</category><category>html-injection</category><category>cve-2026-33548</category><category>webserver</category></item></channel></rss>