0037016: CVE-2026-40597: Content Security Policy bypass via attachments - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0037016	mantisbt	security	public	2026-04-12 07:09	2026-05-09 19:56

Reporter	siunam	Assigned To	dregad
Priority	immediate	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Target Version	2.28.2	Fixed in Version	2.28.2

Summary	0037016: CVE-2026-40597: Content Security Policy bypass via attachments
Description	Given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP `finfo` (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a `<script>` tag by the browser, due to response header `X-Content-Type-Options` being set to `nosniff`, which requires all imported JavaScript files to be a valid JavaScript MIME type. `$t_finfo = new finfo( FILEINFO_MIME ); $mime_type = $t_finfo->buffer("#!/usr/bin/env node\nalert('xss')"); var_dump($mime_type); // string(40) "application/javascript; charset=us-ascii"` When finfo sees that the buffer starts with `#!/usr/bin/env node`, it will get sniffed as JavaScript.
Steps To Reproduce	Create a Javascript payload, e.g. `xss.js` as follows: `#!/usr/bin/env node alert('xss');` Upload the file as an attachment to any Issue the victim has access to Get the file's download URL, e.g. http://example.com/mantis/file_download.php?file_id=123&type=bug Exploit any existing HTML injection vulnerability, for example the font-family in 0037011: Using a crafted POST request (as explained in 0037011), or as an admin using adm_config_report.php, set the victim's `font_family` setting to `</style><script src="/mantis/file_download.php?file_id=123&type=bug"></script><style>` Login as the victim Script is executed, as shown in attached screenshot
Additional Information	This was originally reported as part of 0037011 by @siunam. After analysis and discussion, it was agreed that it is in fact a separate vulnerability. Proposed approach to fix (from 0037011:0070961): For the CSP bypass, it is recommended that the response Content-Type header in mantisbt/file_download.php line 215 should be restricted to text/plain, application/pdf, application/octet-stream, and other image MIME types (e.g.: image/png). This is because other MIME types are not really important and will reduce the risk of CSP bypasses via this endpoint.
Tags	No tags attached.
Attached Files	image.png (39,744 bytes) image.png (39,744 bytes)

dregad 2026-04-12 13:49 developer ~0070979	Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3 created, CVE request sent. Please review and comment, thanks.

siunam 2026-04-13 00:40 reporter ~0070994	I think the CVSS score should be 0: `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N`. I don't think this CSP bypass will affect confidentiality, integrity, and availability. They are only affected when a vulnerability leverages this specific bypass.

siunam 2026-04-13 01:03 reporter ~0070999 Last edited: 2026-04-13 01:06	I also want to clarify that this CSP bypass is not a vulnerability, but rather a security risk. This is because this bypass requires other vulnerabilities (i.e.: HTML injection) to have security impacts.

dregad 2026-04-13 04:30 developer ~0071004	this CSP bypass is not a vulnerability, but rather a security risk. I'm not sure I agree with your assessement. As I understand the concept, a Risk is the probability of something harmful happening, i.e. that a Threat exploits the Vulnerability, combined with the consequences of that. In my opinion, we clearly have a flaw in the software (i.e. a Vulnerability) here. The fact that another vulnerability is required to effectively exploit it does not make it a Risk.

siunam 2026-04-13 06:30 reporter ~0071006	Looks like I misunderstood security risk with other things. But the point is that CSP bypass is always a security risk because it removes a layer of protection. However, it can be escalated to a vulnerability when it actively enables an attacker to exploit an underlying flaw (like HTML injection in this case) that the CSP was specifically intended to prevent.

dregad 2026-04-17 02:47 developer ~0071015	CVE-2026-40597 assigned

dregad 2026-05-03 13:50 developer ~0071066	@siunam, patch is available for review https://github.com/mantisbt/mantisbt-private/pull/7, feedback welcome.

siunam 2026-05-07 01:30 reporter ~0071071	I confirmed the patch fixed the vulnerability! I also left some comments on that PR.

MantisBT: master-2.28 26647b2e 2026-05-03 13:46 dregad Details Diff	Restrict MIME type for file downloads Until now, file_download.php was sending attachments content with a MIME type determined by PHP's Fileinfo [1]. This creates a risk of JavaScript execution bypassing the Content Security Policy. We now only set the Content-Type header for known safe types (e.g. PDF and images), all text types are forced to text/plain and the rest is sent as application/octet-stream. Includes corrections following review by vboctor. Fixes 0037016, GHSA-9c3j-xm6v-j7j3 / CVE-2026-40597 [1]: https://www.php.net/manual/en/book.fileinfo.php		Affected Issues 0037016, 0037020
	mod - file_download.php		Diff File