VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 7, 2010· Updated Apr 29, 2026

CVE-2010-2802

CVE-2010-2802

Description

Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.2 allows remote authenticated users to inject arbitrary web script or HTML via an HTML document with a .gif filename extension, related to inline attachments.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MantisBT before 1.2.2 allows authenticated users to upload HTML files disguised as .gif, leading to XSS when rendered inline.

Vulnerability

MantisBT versions prior to 1.2.2 contain a cross-site scripting (XSS) vulnerability in the handling of inline attachments. An authenticated user can upload an HTML document with a .gif filename extension. The application uses Fileinfo to determine the MIME type, which correctly identifies the content as text/html. When the attachment is served inline, the browser renders the HTML, allowing arbitrary script execution. This issue was reported as bug #11952 and fixed in upstream version 1.2.2 [1][4].

Exploitation

An attacker must have a valid authenticated account on the MantisBT instance. The attacker uploads a crafted HTML file containing malicious JavaScript, renamed with a .gif extension. The attacker then tricks another user (or themselves) into clicking a link to the attachment with the show_inline=1 parameter. Because the file is served with a Content-Type of text/html and without proper X-Content-Type-Options: nosniff headers, the browser renders the HTML and executes the embedded script. The fix also introduced a CSRF token to prevent cross-domain attacks where an attacker could embed the attachment in an iframe [1].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser session on the MantisBT domain. This can lead to session hijacking, defacement, or theft of sensitive data. The attack requires user interaction (clicking a link) and an authenticated attacker, but the impact is limited to the MantisBT application's security context [1][4].

Mitigation

Upgrade to MantisBT version 1.2.2 or later, which was released in August 2010. The fix introduces a show_inline parameter controlled by a CSRF token and ensures that attachments are served with Content-Disposition: attachment by default, preventing inline rendering. Additionally, the X-Content-Type-Options: nosniff header is set to disable MIME sniffing in Internet Explorer 8+. No workaround is available for versions prior to 1.2.2 [1][4].

References
  1. 0011952: Arbitrary inline attachment rendering could lead to cross-domain scripting or other browser attacks
  2. cross-domain scripting or other browser attacks via arbitrary inline attachment rendering

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

38
  • Mantisbt/Mantisbt38 versions
    cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*+ 37 more
    • cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*range: <=1.2.1
    • cpe:2.3:a:mantisbt:mantisbt:0.18.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.0a1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.0a2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0a1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0a2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0a3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc5:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.0:*:*:*:*:*:*:*
    • (no CPE)range: <1.2.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.