VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 27, 2005· Updated Jun 16, 2026

CVE-2005-3337

CVE-2005-3337

Description

Multiple cross-site scripting (XSS) vulnerabilities in Mantis before 0.19.3 allow remote attackers to inject arbitrary web script or HTML via (1) unknown vectors involving Javascript and (2) mantis/view_all_set.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

8
  • Mantisbt/Mantis8 versions
    cpe:2.3:a:mantis:mantis:0.19.0:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:a:mantis:mantis:0.19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0a1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0a2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.3:*:*:*:*:*:*:*
    • (no CPE)range: <0.19.3

Patches

Vulnerability mechanics

Root cause

"Unsanitized user input in unknown Javascript vectors and in mantis/view_all_set.php allows cross-site scripting."

Attack vector

An attacker can inject arbitrary web script or HTML via two vectors: (1) unknown Javascript vectors, and (2) the `mantis/view_all_set.php` page. The advisory does not detail the preconditions or payload shape, but the impact is cross-site scripting (XSS) allowing arbitrary script execution in the victim's browser.

Affected code

The advisory does not specify the exact file paths or functions for the two XSS vectors in Mantis before 0.19.3. One vector involves unknown Javascript vectors, and the other is in `mantis/view_all_set.php`.

What the fix does

The advisory states that the fix was released in Mantis 0.19.3, but no patch diff is provided. The changelog does not describe the specific code changes; the remediation is to upgrade to version 0.19.3 or later.

Preconditions

  • inputThe attacker must be able to supply input to the affected pages, likely via crafted URL parameters or form fields.
  • networkThe victim must visit a crafted URL or page containing the injected script.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.