{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mantisbt/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mantisbt/mantisbt (\u003c= 2.28.1)"],"_cs_severities":["high"],"_cs_tags":["xss","mantisbt","github advisory"],"_cs_type":"threat","_cs_vendors":["composer"],"content_html":"\u003cp\u003eMantisBT, a web-based bug tracking system, is vulnerable to a stored cross-site scripting (XSS) attack. The vulnerability exists in the \u003ccode\u003efile_download.php\u003c/code\u003e script. By exploiting this flaw, an attacker can inject malicious JavaScript code into the application, which will be executed in the context of other users\u0026rsquo; browsers when they access the affected functionality. The vulnerability is triggered when processing file downloads, specifically when the \u003ccode\u003eshow_inline=1\u003c/code\u003e parameter is used in conjunction with a valid \u003ccode\u003efile_show_inline_token\u003c/code\u003e CSRF token. This allows an attacker to upload a crafted XHTML attachment that references a JavaScript attachment. The vulnerability affects MantisBT versions 2.28.1 and earlier. This can lead to account takeover, sensitive data leakage, and other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to MantisBT as a user with permissions to upload attachments.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious JavaScript file (e.g., \u003ccode\u003eevil.js\u003c/code\u003e) containing the XSS payload.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious XHTML file (e.g., \u003ccode\u003eevil.xhtml\u003c/code\u003e) that includes the JavaScript file using \u003ccode\u003e\u0026lt;script src=\u0026quot;evil.js\u0026quot;\u0026gt;\u0026lt;/script\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker obtains a valid CSRF token for the \u003ccode\u003efile_show_inline_token\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eAttacker uploads both the \u003ccode\u003eevil.js\u003c/code\u003e and \u003ccode\u003eevil.xhtml\u003c/code\u003e files as attachments to a MantisBT issue.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a request to \u003ccode\u003efile_download.php\u003c/code\u003e with the \u003ccode\u003eshow_inline=1\u003c/code\u003e parameter, the valid CSRF token, and the file IDs of the uploaded \u003ccode\u003eevil.xhtml\u003c/code\u003e attachment.\u003c/li\u003e\n\u003cli\u003eA victim user clicks a link (or is redirected) to the crafted \u003ccode\u003efile_download.php\u003c/code\u003e URL.\u003c/li\u003e\n\u003cli\u003eThe server serves the \u003ccode\u003eevil.xhtml\u003c/code\u003e file inline, which executes the embedded \u003ccode\u003eevil.js\u003c/code\u003e JavaScript in the victim\u0026rsquo;s browser, allowing the attacker to perform actions on behalf of the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of a victim\u0026rsquo;s browser. This can lead to a variety of malicious activities, including session hijacking, defacement of the MantisBT interface, theft of sensitive information, or further exploitation of the MantisBT server or the victim\u0026rsquo;s machine. Given the nature of bug tracking systems, successful exploitation could impact multiple users within an organization, potentially leading to widespread compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided by MantisBT (26647b2e68ba30b9d7987d4e03d7a16416684bc2) to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect MantisBT XSS via file_download.php\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003efile_download.php\u003c/code\u003e with the \u003ccode\u003eshow_inline=1\u003c/code\u003e parameter and potentially malicious content in the request.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T19:42:20Z","date_published":"2026-05-11T19:42:20Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mantisbt-xss/","summary":"MantisBT is vulnerable to stored cross-site scripting (XSS) via file_download.php by using the `show_inline=1` parameter with a valid CSRF token to upload a crafted XHTML attachment referencing a JavaScript attachment, leading to arbitrary code execution.","title":"MantisBT Vulnerable to Stored XSS in File Download","url":"https://feed.craftedsignal.io/briefs/2026-05-mantisbt-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Mantisbt","version":"https://jsonfeed.org/version/1.1"}