CVE-2018-14504
Description
A stored XSS vulnerability in MantisBT's Edit Filter page allows attackers to execute arbitrary JavaScript when a specially crafted filter name is displayed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in MantisBT's Edit Filter page allows attackers to execute arbitrary JavaScript when a specially crafted filter name is displayed.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in manage_filter_edit_page.php in MantisBT versions 2.x through 2.15.0 [1]. The application fails to properly sanitize the filter name before echoing it into an `` field's value attribute, allowing an attacker to inject arbitrary HTML and JavaScript. No special configuration is required beyond a standard MantisBT installation; the vulnerability is reachable when a user views or edits a filter with a crafted name [3].
Exploitation
An authenticated user with the ability to create or edit filters sets a filter name containing a malicious payload, such as foobar" onclick="alert(1) [1]. When another user (including an administrator) visits the Edit Filter page (e.g., manage_filter_edit_page.php), the unsanitized payload is rendered in the page's HTML. The attacker does not require a privileged account beyond filter creation permissions, and the exploit triggers upon page load (if CSP settings allow inline event handlers) [1] [3].
Impact
Successful exploitation results in arbitrary JavaScript execution in the context of the victim's browser, which can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The impact is limited by Content Security Policy (CSP) settings; if CSP denies inline scripts, the attack is only possible if event handlers are not restricted [1]. The attacker gains no direct access to the server, but can compromise the victim's session and data within the MantisBT application [2].
Mitigation
The vulnerability is fixed in MantisBT version 2.16.0 and 2.15.1, released on or about August 3, 2018 [4]. The patch applies string_display_line() to escape the filter name output [3]. Users should upgrade to the latest supported version. If upgrading is not immediately possible, system administrators can implement a strict Content Security Policy that disallows inline event handlers as a temporary workaround [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 2.0.0, < 2.15.1 | 2.15.1 |
Affected products
1Patches
18b5fa243dbf0Fix XSS on filter edit page (CVE-2018-14504)
1 file changed · +1 −1
manage_filter_edit_page.php+1 −1 modified@@ -124,7 +124,7 @@ <div class="form-inline"> <label> <?php echo lang_get( 'query_name' ) ?> - <input type="text" size="25" name="filter_name" maxlength="64" value="<?php echo filter_get_field( $f_filter_id, 'name' ) ?>"> + <input type="text" size="25" name="filter_name" maxlength="64" value="<?php echo string_display_line( filter_get_field( $f_filter_id, 'name' ) ) ?>"> </label> </div> </div>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-74gh-5j33-vg4wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14504ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/8b5fa243dbf04344a55fe880135ec149fc1f439fghsax_refsource_CONFIRMWEB
- mantisbt.org/blog/archives/mantisbt/602ghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/view.phpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.