VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 21, 2011· Updated Apr 29, 2026

CVE-2011-3358

CVE-2011-3358

Description

Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script or HTML via the (1) os, (2) os_build, or (3) platform parameter to (a) bug_report_page.php or (b) bug_update_advanced_page.php, related to use of the Projax library.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MantisBT before 1.2.8 fails to sanitize the os, os_build, and platform parameters, allowing remote attackers to inject arbitrary web script or HTML via XSS.

Vulnerability

MantisBT versions before 1.2.8 contain multiple cross-site scripting (XSS) vulnerabilities in the bug_report_page.php and bug_update_advanced_page.php scripts. The os, os_build, and platform parameters are passed unescaped to the Projax library's autocomplete function, allowing an attacker to inject arbitrary HTML and JavaScript into the response page [1][2][3][4]. The fix in commit 0a636b37d3425aea7b781e7f25eaeb164ac54a3d uses string_attribute() to properly encode the values before output [4].

Exploitation

An attacker can craft a malicious URL that includes a payload in the os, os_build, or platform query parameters. The attacker does not need authentication; simply tricking a logged-in or non-logged-in victim into visiting such a URL (e.g., via email, a forum post, or a phishing link) will cause the victim's browser to execute the injected script in the context of the MantisBT site [1][3]. No special network position or user interaction beyond clicking the crafted link is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the security context of the affected MantisBT installation. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites [2][3]. The impact is limited to the browser session and does not directly grant server-side access.

Mitigation

The vulnerability is fixed in MantisBT version 1.2.8, released on 2011-09-21. Users should upgrade immediately [1][2]. There is no KEV listing. No other workarounds are documented in the available references; the fix ensures that the os, os_build, and platform values are properly escaped using string_attribute() before being passed to the Projax library [4].

References
  1. security - Re: CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS, 2xXSS)
  2. security - CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS, 2xXSS)
  3. MantisBT CMS Multiple Vulnerabilities(SQL/XSS) - CXSecurity.com
  4. Issue #13281: Fix Projax XSS issues (unescaped value attributes) · mantisbt/mantisbt@0a636b3

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

28
  • Mantisbt/Mantisbt28 versions
    cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*+ 27 more
    • cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*range: <=1.2.7
    • cpe:2.3:a:mantisbt:mantisbt:0.19.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.6:*:*:*:*:*:*:*
    • (no CPE)range: <1.2.8

Patches

1
0a636b37d342

Issue #13281: Fix Projax XSS issues (unescaped value attributes)

https://github.com/mantisbt/mantisbtDavid HicksSep 4, 2011via nvd-ref
commit
2 files changed · +6 6
  • bug_report_page.php+3 3 modified
    @@ -291,7 +291,7 @@
 							</select>
 							<?php
 								} else {
-									projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => $f_platform, 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+									projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => string_attribute( $f_platform ), 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
 								}
 							?>
 						</td>
@@ -308,7 +308,7 @@
 							</select>
 							<?php
 								} else {
-									projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => $f_os, 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+									projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => string_attribute( $f_os ), 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
 								}
 							?>
 						</td>
@@ -327,7 +327,7 @@
 								</select>
 							<?php
 								} else {
-									projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => $f_os_build, 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
+									projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => string_attribute( $f_os_build ), 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
 								}
 							?>
 						</td>
  • bug_update_advanced_page.php+3 3 modified
    @@ -438,7 +438,7 @@
 			print_platform_option_list( $tpl_bug->platform );
 			echo '</select>';
 		} else {
-			projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => $tpl_bug->platform, 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+			projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => string_attribute( $tpl_bug->platform ), 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
 		}
 
 		echo '</td>';
@@ -456,7 +456,7 @@
 			print_os_option_list( $tpl_bug->os );
 			echo '</select>';
 		} else {
-			projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => $tpl_bug->os, 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+			projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => string_attribute( $tpl_bug->os ), 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
 		}
 
 		echo '</td>';
@@ -474,7 +474,7 @@
 			print_os_build_option_list( $tpl_bug->os_build );
 			echo '</select>';
 		} else {
-			projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => $tpl_bug->os_build, 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
+			projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => string_attribute( $tpl_bug->os_build ), 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
 		}
 
 		echo '</td>';

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.