View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0037234 | mantisbt | security | public | 2026-06-03 03:02 | 2026-07-15 08:07 |
| Reporter | dracosectech | Assigned To | dregad | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Target Version | 2.28.4 | Fixed in Version | 2.28.4 | ||
| Summary | 0037234: CVE-2026-62944: Stored HTML injection via unescaped attachment filename extension in HTML export | ||||
| Description | A missing output encoding call in An attacker uploads a file with a crafted name such as MantisBT's default Content Security Policy ( | ||||
| Steps To Reproduce |
Defacement payload (works with MantisBT's default config): | ||||
| Additional Information | Credits: | ||||
| Tags | No tags attached. | ||||
| Attached Files | |||||
|
Confirmed. Thanks for your report ! |
|
|
Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h2wf-967x-gxvw created and CVE request sent. |
|
|
Hi @dregad, Thanks for handling this issue. Would you please help to add back the credit section as it is missing during issue reporting? Additionally, could you help granting access for our GitHub account for reviewing the GH Security Advisory? Many thanks. |
|
|
@dracosectech done and done. |
|
|
CVE-2026-62944 assigned |
|
|
MantisBT: master-2.28 bdd0e364 2026-06-08 09:03 Details Diff |
Fix XSS in print_all_bug_page_word.php Unescaped file extension was printed in <img> tag alt attribute. Consistently call string_html_specialchars() on printed variables. Use printf() instead echo to improve code readability. Replace `<br />` by `<br>`. Fixes 0037234 |
Affected Issues 0037234 |
|
| mod - print_all_bug_page_word.php | Diff File | ||