CVE-2014-9571

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the admin/install.php script of MantisBT. The admin_username and admin_password parameters are not properly sanitized before being displayed, allowing injection of arbitrary web script or HTML. This affects MantisBT versions before 1.2.19 and 1.3.x before 1.3.0-beta.2 [1][2][3][4].

Exploitation

An attacker can craft a malicious URL containing the payload in the admin_username or admin_password parameters. The attacker must trick a logged-in user (typically an administrator) into visiting the crafted link. No authentication is required to access the install.php page, but the user must be logged in to MantisBT for the XSS to execute [1][4].

Impact

Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser. This can lead to cookie theft, session hijacking, defacement, or phishing attacks against other users [1][4]. The CVSSv2 base score for this XSS is 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) [4].

Mitigation

The vulnerability is fixed in MantisBT versions 1.2.19 and 1.3.0-beta.2. Users should upgrade to these or later versions. The fix applies the string_attribute() function to escape user-supplied input before output [1][2][3]. No workarounds are documented other than upgrading.