CVE-2018-13055
Description
Reflected XSS vulnerability in MantisBT 2.1.0 through 2.15.0 via crafted PATH_INFO on the View Filters page, enabling script injection when CSP is disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS vulnerability in MantisBT 2.1.0 through 2.15.0 via crafted PATH_INFO on the View Filters page, enabling script injection when CSP is disabled.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in view_filters_page.php of Mantis Bug Tracker (MantisBT) versions 2.1.0 through 2.15.0. The root cause is the unsanitized use of $_SERVER['PHP_SELF'] in core/filter_form_api.php at line 2396, introduced during the Filter API refactoring [3]. An attacker can inject arbitrary JavaScript code through a crafted PATH_INFO value [1][3]. The vulnerability is exploitable only if Content Security Policy (CSP) settings permit script execution; if CSP is configured strictly, the injected script may be blocked [1][3].
Exploitation
An attacker can craft a malicious URL targeting view_filters_page.php with a PATH_INFO containing the XSS payload (e.g., /). The attacker does not require authentication; any visitor to the crafted URL can trigger the reflected XSS. The exploit requires no user interaction beyond clicking the link (e.g., via social engineering). Successful exploitation depends on the target's browser CSP not blocking the injected script [1][3].
Impact
If the injected script executes, the attacker can perform arbitrary actions in the context of the victim's session on the MantisBT instance, including but not limited to: stealing session cookies, modifying filters, creating or altering bug reports, and escalating privileges. The impact is limited if CSP is properly configured, as the script may be blocked [1][3].
Mitigation
The vulnerability is fixed in MantisBT versions 2.16.0 and 2.15.1, released on the same day [4]. The fix sanitizes the output of $_SERVER['PHP_SELF'] using string_sanitize_url() before display [3]. Users should upgrade to the latest patched version. As a workaround, administrators can enforce a strict Content Security Policy that blocks inline scripts and untrusted sources. No workaround via configuration changes alone is provided [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 2.1.0, < 2.15.1 | 2.15.1 |
Affected products
1Patches
14efac90ed89aFix XSS in filter_form_draw_inputs() (CVE-2018-13055)
1 file changed · +1 −0
core/filter_form_api.php+1 −0 modified@@ -2394,6 +2394,7 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f if( null === $p_static_fallback_page ) { $p_static_fallback_page = $_SERVER['PHP_SELF']; + $p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] ); } $t_filters_url = $p_static_fallback_page; $t_get_params = $_GET;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mjp7-97w4-jwhcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-13055ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/4efac90ed89a5c009108b641e2e95683791a165aghsax_refsource_CONFIRMWEB
- mantisbt.org/blog/archives/mantisbt/602ghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/view.phpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.