CVE-2018-16514
Description
MantisBT 2.1.0 through 2.17.0 has a reflected XSS in filter pages due to incomplete fix for CVE-2018-13055, allowing arbitrary script injection via crafted PATH_INFO.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT 2.1.0 through 2.17.0 has a reflected XSS in filter pages due to incomplete fix for CVE-2018-13055, allowing arbitrary script injection via crafted PATH_INFO.
Vulnerability
Description
The vulnerability is a reflected cross-site scripting (XSS) flaw in the View Filters page (view_filters_page.php) and Edit Filter page (manage_filter_edit_page.php) of MantisBT versions 2.1.0 through 2.17.0. It stems from improper sanitization of the PATH_INFO parameter. This issue represents an incomplete fix for the previously identified CVE-2018-13055, as the initial patch did not fully address the injection vector [1][2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing executable code in the PATH_INFO segment (e.g., ?/"onmouseover='prompt(1)'). When a user visits the crafted URL, the injected code is reflected in the page output. Successful exploitation requires that the browser's Content Security Policy (CSP) settings allow execution of the injected code; otherwise, the browser may block it. However, as noted in the bug report, even with CSP enforcement, the code is still reflected in the page source [2]. The attack does not require authentication, but relies on social engineering to trick a victim into clicking the malicious link.
Impact
If exploited successfully, an attacker can execute arbitrary JavaScript in the context of the victim's browser session. This could lead to session hijacking, data theft, defacement, or other malicious actions, depending on the privileges of the victim within the MantisBT application [1][2].
Mitigation
The vulnerability was fixed in MantisBT version 2.17.1. Users are advised to upgrade to this version or later. As a workaround, administrators can implement strict Content Security Policy headers to mitigate script execution, though this does not prevent the reflection of the payload [2]. The root cause lies in the core/filter_form_api.php file, specifically around line 2779, where the PATH_INFO was not properly escaped [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 2.1.0, < 2.17.1 | 2.17.1 |
Affected products
2- MantisBT/MantisBTdescription
Patches
166091a426266Use SCRIPT_NAME instead of PHP_SELF
1 file changed · +2 −3
core/filter_form_api.php+2 −3 modified@@ -2393,10 +2393,9 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f } if( null === $p_static_fallback_page ) { - $p_static_fallback_page = $_SERVER['PHP_SELF']; - $p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] ); + $p_static_fallback_page = $_SERVER['SCRIPT_NAME']; } - $t_filters_url = $p_static_fallback_page; + $t_filters_url = helper_mantis_url( $p_static_fallback_page ); $t_get_params = $_GET; $t_get_params['for_screen'] = $p_for_screen; $t_get_params['static'] = ON;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3qv7-98vm-xx2vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16514ghsaADVISORY
- github.com/mantisbt/mantisbt/blob/006cd0cd90c37097e1a065fd3e59ce2534490834/core/filter_form_api.phpghsaWEB
- github.com/mantisbt/mantisbt/commit/66091a42626631a3063774eb0fb8a4218ab22fd4ghsaWEB
- mantisbt.org/bugs/view.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.