CVE-2010-3303
Description
Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.3 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) a plugin name, related to manage_plugin_uninstall.php; (2) an enumeration value or (3) a String value of a custom field, related to core/cfdefs/cfdef_standard.php; or a (4) project or (5) category name to print_all_bug_page_word.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT before 1.2.3 contains multiple XSS vulnerabilities allowing authenticated admins to inject arbitrary script via plugin names, custom fields, or project/category names.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in MantisBT versions prior to 1.2.3. The flaws allow remote authenticated administrators to inject arbitrary web script or HTML through (1) a plugin name, as exploited via manage_plugin_uninstall.php; (2) an enumeration value or (3) a String value of a custom field, triggered in core/cfdefs/cfdef_standard.php; and (4) a project or (5) category name, when printing via print_all_bug_page_word.php [1], [2], [3], [4].
Exploitation
The attacker must have administrative privileges in MantisBT. By crafting a malicious plugin name, custom field enumeration or string value, or project/category name containing XSS payloads, the injected script executes when an administrator or other user interacts with the affected pages. The exact vectors are: uninstalling the plugin, viewing or editing custom field definitions, or generating a printed report.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript or HTML in the context of the victim's browser session. This can lead to disclosure of sensitive information, session hijacking, or other client-side attacks. The injected code runs with the privileges of the authenticated user viewing the page.
Mitigation
The vulnerabilities are fixed in MantisBT version 1.2.3, released on an unspecified date [2], [3]. Administrators should upgrade to 1.2.3 or later immediately. No workaround is available if upgrading is not possible; downgrading or disabling the affected features is not practical. The issues are not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of analysis.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*+ 38 more
- cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*range: <=1.2.2
- cpe:2.3:a:mantisbt:mantisbt:0.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:0.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:0.19.0a1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:0.19.0a2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:0.19.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:0.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:0.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:0.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:0.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:0.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.0a1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.0a2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.0a3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.1:*:*:*:*:*:*:*
- (no CPE)range: <1.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-controllable input (plugin names, custom field enumeration/String values, project names, category names) is not neutralized before being placed in web page output."
Attack vector
An attacker who is a remote authenticated administrator can inject arbitrary web script or HTML through several input vectors: (1) a malicious plugin name during plugin uninstallation, (2) an enumeration value or (3) a String value of a custom field, or (4) a project or (5) category name printed in `print_all_bug_page_word.php` [ref_id=1]. The injected script executes in the context of other users' browsers when they view the affected pages, leading to cross-site scripting (XSS) [CWE-79].
Affected code
The advisory identifies multiple vulnerable code paths: `manage_plugin_uninstall.php` (plugin name), `core/cfdefs/cfdef_standard.php` (custom field enumeration and String values), and `print_all_bug_page_word.php` (project and category names) [ref_id=1]. No patch diff is included in the bundle, so the exact line-level changes are not visible.
What the fix does
The fix was applied in MantisBT version 1.2.3. According to the bug tracker discussion for issue 0012234, developer dhx fixed not only enumeration values but all custom field types, including String values, by modifying the `cfdef_input_textbox` function in `core/cfdefs/cfdef_standard.php` [ref_id=3]. The advisory does not provide a patch diff, but the resolution is confirmed in the 1.2.3 release notes [ref_id=2].
Preconditions
- authAttacker must be a remote authenticated administrator in MantisBT
- inputAttacker must have access to create or modify plugin names, custom field values, project names, or category names
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
17- secunia.com/advisories/41653nvdVendor Advisory
- www.vupen.com/english/advisories/2010/2535nvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2010-September/048548.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2010-September/048639.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2010-September/048659.htmlnvd
- secunia.com/advisories/51199nvd
- security.gentoo.org/glsa/glsa-201211-01.xmlnvd
- www.mantisbt.org/bugs/changelog_page.phpnvd
- www.mantisbt.org/bugs/view.phpnvd
- www.mantisbt.org/bugs/view.phpnvd
- www.mantisbt.org/bugs/view.phpnvd
- www.mantisbt.org/bugs/view.phpnvd
- www.openwall.com/lists/oss-security/2010/09/14/12nvd
- www.openwall.com/lists/oss-security/2010/09/14/13nvd
- www.openwall.com/lists/oss-security/2010/09/14/19nvd
- www.openwall.com/lists/oss-security/2010/09/16/16nvd
- www.securityfocus.com/bid/43604nvd
News mentions
0No linked articles in our index yet.