0037099: CVE-2026-44655: XSS in move_attachments_page.php

ID	Project	Category	View Status	Date Submitted	Last Update
0037099	mantisbt	security	public	2026-05-03 12:35	2026-05-09 19:56

Reporter	dregad	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.3.0
Target Version	2.28.2	Fixed in Version	2.28.2

Summary	0037099: CVE-2026-44655: XSS in move_attachments_page.php
Description	Unescaped Project Name allows an attacker to inject HTML in Move Attachments admin page. Prerequisites: Attacker can control the source project name Admin pages are available and User is allowed to access them (i.e. must have admin_site_threshold)
Steps To Reproduce	Create or change the name of a project to `<h1>pwned</h1>` Make sure the project contains at least one attachment Open /admin/move_attachments_page.php
Additional Information	Default CSP prevents script execution
Tags	No tags attached.
Attached Files	image.png (55,216 bytes) image.png (55,216 bytes)

dregad 2026-05-03 12:59 developer ~0071065	Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59 CVE request sent

dregad 2026-05-08 08:18 developer ~0071079	CVE-2026-44655 assigned

MantisBT: master-2.28 5cb4b469 2026-05-03 13:00 dregad Details Diff	Fix XSS on move_attachments_page.php Proper escaping of Project Name prevents HTML injection. Fixes 0037099, GHSA-7mqj-8gj2-cg59		Affected Issues 0037099
	mod - admin/move_attachments_page.php		Diff File