CVE-2020-16266
Summary
| CVE | CVE-2020-16266 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-08-12 13:15:00 UTC |
| Updated | 2020-08-17 18:29:00 UTC |
| Description | An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it). |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 0027056: CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php - MantisBT | CONFIRM | mantisbt.org | Exploit, Issue Tracking, Patch, Vendor Advisory |
| MantisBT 2.24.2 Released – Mantis Bug Tracker – Blog | CONFIRM | mantisbt.org | Release Notes, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.