CVE-2011-3356
Description
Multiple cross-site scripting (XSS) vulnerabilities in config_defaults_inc.php in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO, as demonstrated by the PATH_INFO to (1) manage_config_email_page.php, (2) manage_config_workflow_page.php, or (3) bugs/plugin.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT before 1.2.8 is vulnerable to XSS via PATH_INFO in multiple configuration pages, allowing remote unauthenticated attackers to inject arbitrary script.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in config_defaults_inc.php of MantisBT versions before 1.2.8. The bug stems from insufficient sanitization of PATH_INFO data when constructing URLs for pages like manage_config_email_page.php, manage_config_workflow_page.php, and bugs/plugin.php. An attacker can append malicious script as part of the URL path, which is then reflected back to the user's browser [1][2]. The issue was reported independently by Paulino Calderon (Websec) and High-Tech Bridge Security Research Lab [1][2][3][4].
Exploitation
An attacker does not require authentication or any prior access to the MantisBT installation. The exploit works by crafting a URL such as http://[host]/manage_config_email_page.php/ and luring a victim into visiting it. The malicious script in the PATH_INFO segment is reflected in the page output without proper escaping. The attack works notably on Apache servers; vanilla nginx installations are not affected because nginx validates the URL path and rejects such malformed requests [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, redirection to malicious sites, defacement, or other client-side attacks. Since the vulnerability is reflected and does not require authentication, the potential attack surface is broad, affecting any user who views a crafted link [1][2][3].
Mitigation
MantisBT version 1.2.8, released on September 20, 2011, fixes the issue by properly sanitizing PATH_INFO input [1][2][3][4]. Users are strongly advised to upgrade to this version or later. No official workarounds were published for installations unable to upgrade immediately, though restricting access to the affected pages via web server configuration may reduce risk. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
28cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*range: <=1.2.7
- cpe:2.3:a:mantisbt:mantisbt:0.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:0.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.6:*:*:*:*:*:*:*
- (no CPE)range: <1.2.8
Patches
1d00745f5e267Fix issue introduced previously whereby php_Self is now used unchecked.
1 file changed · +7 −2
config_defaults_inc.php+7 −2 modified@@ -112,10 +112,15 @@ $t_host = 'localhost'; } - $t_path = str_replace( basename( $_SERVER['PHP_SELF'] ), '', $_SERVER['PHP_SELF'] ); + $t_self = $_SERVER['SCRIPT_NAME']; + $t_self = filter_var( $t_self, FILTER_SANITIZE_STRING ); + $t_path = str_replace( basename( $t_self ), '', $t_self ); $t_path = basename( $t_path ) == "admin" ? dirname( $t_path ) . '/' : $t_path; $t_path = basename( $t_path ) == "soap" ? dirname( dirname( $t_path ) ) . '/' : $t_path; - + if ( strpos( $t_path, '&#' ) ) { + echo 'Can not safely determine $g_path. Please set $g_path manually in config_inc.php'; + die; + } $t_url = $t_protocol . '://' . $t_host . $t_path;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- github.com/mantisbt/mantisbt/commit/d00745f5e267eba4ca34286d125de685bc3a8034nvdPatch
- bugs.debian.org/cgi-bin/bugreport.cginvdExploitPatch
- lists.debian.org/debian-security-tracker/2011/09/msg00012.htmlnvdExploit
- lists.fedoraproject.org/pipermail/package-announce/2011-September/066061.htmlnvdExploitPatch
- www.mantisbt.org/bugs/view.phpnvdExploit
- www.mantisbt.org/bugs/view.phpnvdExploit
- www.openwall.com/lists/oss-security/2011/09/04/1nvdExploit
- www.openwall.com/lists/oss-security/2011/09/09/9nvdExploit
- bugzilla.redhat.com/show_bug.cginvdExploitPatch
- www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.htmlnvdExploit
- secunia.com/advisories/51199nvd
- security.gentoo.org/glsa/glsa-201211-01.xmlnvd
- securityreason.com/securityalert/8392nvd
- www.securityfocus.com/archive/1/519547/100/0/threadednvd
- www.securityfocus.com/bid/49448nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/69587nvd
News mentions
0No linked articles in our index yet.