XSS in MantisBT LinkedCustomFields <2.0.1 script exec via linked fields
CVE-2023-49802 Published on December 11, 2023
MantisBT LinkedCustomFields Cross-site Scripting vulnerability
The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one. This issue is fixed in version 2.0.1. As a workaround, one may utilize MantisBT's default Content Security Policy, which blocks script execution.
Vulnerability Analysis
CVE-2023-49802 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2023-49802 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2023-49802
Want to know whenever a new CVE is published for MantisBT Linked Custom Fields? stack.watch will email you.
Affected Versions
mantisbt-plugins LinkedCustomFields Version < 2.0.1 is affected by CVE-2023-49802Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.