MantisBT: master-2.28 f32787c1

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-03-16 07:39 master-2.28 80990f43
Affected Issues  0036973: CVE-2026-33548: Stored HTML Injection / XSS in my_view_page.php Timeline via Unescaped Historic Tag Name
Changeset

Escape unknown tag name in Timeline

Timeline API retrieves data from the bug_history table. It can happen
that the tag name stored there no longer exists (e.g. if it has been
renamed or deleted).

In this case, tag_get_by_name() returns false (obviously), causing
IssueTagTimelineEvent::html() to fall back to displaying the name stored
in the Timeline event as-is, but lack of proper escapeing was allowed
XSS / HTML injection.

Fixes 0036973
mod - core/classes/IssueTagTimelineEvent.class.php Diff File