{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/mantisbt/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mantisbt (\u003e= 2.23.0, \u003c= 2.28.1)"],"_cs_severities":["high"],"_cs_tags":["credential-access","authorization-bypass","rest-api"],"_cs_type":"advisory","_cs_vendors":["MantisBT"],"content_html":"\u003cp\u003eMantisBT versions 2.23.0 through 2.28.1 are susceptible to an authorization bypass vulnerability (CVE-2026-42071) affecting the REST and SOAP APIs. A missing authorization check in the file visibility function allows any authenticated user with REPORTER access level or higher to download attachments on private bugnotes. These private bugnotes are intended for internal developer discussions, and their attachments (logs, screenshots, patches) should be equally protected. This issue was discovered and responsibly reported by multiple security researchers, including Vishal Shukla, Tristan Madani (@TristanInSec) from Talence Security, and Tang Cheuk Hei (@siunam321). The web UI is not affected by this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the MantisBT instance with REPORTER or higher access.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the ID of a bug issue.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the REST API endpoint \u003ccode\u003eGET /api/rest/issues/{id}/files\u003c/code\u003e or the SOAP API endpoint \u003ccode\u003emc_issue_attachment_get\u003c/code\u003e to request attachments associated with the issue.\u003c/li\u003e\n\u003cli\u003eThe API endpoint fails to properly validate whether the authenticated user has permission to access attachments associated with private bugnotes within that issue.\u003c/li\u003e\n\u003cli\u003eThe attacker receives a list of attachment metadata, including file names and download URLs, associated with private bugnotes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the download URLs to retrieve the contents of attachments on private bugnotes.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information contained within the attachments, such as logs, screenshots, or patches related to internal development discussions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows low-privileged authenticated users (REPORTER+) to access sensitive information intended for internal developer discussion, potentially leading to information disclosure. Attachments may contain sensitive data such as logs, screenshots, or patches, compromising the confidentiality of internal development processes. The number of affected installations is unknown, but all MantisBT instances running versions 2.23.0 to 2.28.1 are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade MantisBT to a patched version beyond 2.28.1 to address CVE-2026-42071.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts targeting the vulnerable REST API endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity targeting the \u003ccode\u003e/api/rest/issues/{id}/files\u003c/code\u003e endpoint to identify potential exploit attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T19:40:12Z","date_published":"2026-05-11T19:40:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mantisbt-auth-bypass/","summary":"MantisBT is vulnerable to a missing authorization check in its file visibility function, allowing authenticated users with REPORTER or higher access to download attachments on private bugnotes they should not be able to access through the REST API and SOAP API, affecting versions 2.23.0 to 2.28.1.","title":"MantisBT Private Bugnote Attachment Content Leak via REST API","url":"https://feed.craftedsignal.io/briefs/2026-05-mantisbt-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mantisbt (\u003c= 2.28.1)","mantisbt/mantisbt"],"_cs_severities":["high"],"_cs_tags":["csp-bypass","xss","attachment","mime-sniffing"],"_cs_type":"advisory","_cs_vendors":["MantisBT"],"content_html":"\u003cp\u003eMantisBT, a web-based bug tracking system, is vulnerable to a content security policy (CSP) bypass. Specifically, the vulnerability, identified as CVE-2026-40597, allows an attacker to circumvent the CSP\u0026rsquo;s \u003ccode\u003escript-src\u003c/code\u003e directive. This is achieved by uploading a specially crafted attachment to a MantisBT issue. The vulnerability exists in MantisBT versions 2.28.1 and earlier. An attacker must first inject HTML or XSS. When the attachment is accessed via the \u003ccode\u003efile_download.php\u003c/code\u003e link, PHP\u0026rsquo;s finfo mechanism incorrectly identifies it as a valid JavaScript MIME type. Because of this, the browser executes the payload within the context of the MantisBT application. This can lead to Cross-Site Scripting (XSS) attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies or exploits an existing XSS or HTML injection vulnerability in MantisBT.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload designed to execute JavaScript code within the browser, and ensures that it will be sniffed as JavaScript by PHP\u0026rsquo;s \u003ccode\u003efinfo\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker uploads the crafted payload as an attachment to a MantisBT issue using the standard attachment upload functionality.\u003c/li\u003e\n\u003cli\u003eMantisBT stores the attachment, associating it with the specific issue.\u003c/li\u003e\n\u003cli\u003eA user (victim) accesses the issue containing the malicious attachment.\u003c/li\u003e\n\u003cli\u003eThe user clicks the \u003ccode\u003efile_download.php\u003c/code\u003e link associated with the uploaded attachment.\u003c/li\u003e\n\u003cli\u003eThe webserver serves the attachment via \u003ccode\u003efile_download.php\u003c/code\u003e. PHP\u0026rsquo;s \u003ccode\u003efinfo\u003c/code\u003e incorrectly identifies the MIME type of the file as a valid JavaScript MIME type.\u003c/li\u003e\n\u003cli\u003eThe browser imports the attachment as a \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tag and executes the attacker-controlled JavaScript code within the security context of the MantisBT domain, leading to XSS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability, in conjunction with a pre-existing XSS or HTML injection, allows an attacker to execute arbitrary JavaScript code in the context of the MantisBT application. This can lead to session hijacking, defacement of the MantisBT interface, sensitive information theft, or other malicious actions performed on behalf of the victim user. Given the wide use of MantisBT in software development and IT support organizations, a successful attack could impact a significant number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade MantisBT to a patched version beyond 2.28.1 as indicated in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-9c3j-xm6v-j7j3)\"\u003ehttps://github.com/advisories/GHSA-9c3j-xm6v-j7j3)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MantisBT CSP Bypass via JavaScript MIME Sniffing\u003c/code\u003e to detect attempts to exploit CVE-2026-40597.\u003c/li\u003e\n\u003cli\u003eReview and harden input validation and output encoding mechanisms to prevent XSS vulnerabilities, which are a prerequisite for exploiting CVE-2026-40597.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T19:35:30Z","date_published":"2026-05-11T19:35:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mantisbt-csp-bypass/","summary":"A content security policy bypass vulnerability, CVE-2026-40597, exists in MantisBT versions 2.28.1 and earlier, allowing an attacker to bypass the _script-src_ directive by uploading a crafted attachment that, when downloaded, executes as JavaScript due to MIME type sniffing, given a pre-existing XSS / HTML injection vulnerability.","title":"MantisBT Content Security Policy Bypass via Attachment Upload (CVE-2026-40597)","url":"https://feed.craftedsignal.io/briefs/2026-05-mantisbt-csp-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — MantisBT","version":"https://jsonfeed.org/version/1.1"}