VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 30, 2018· Updated Aug 5, 2024

CVE-2018-17783

CVE-2018-17783

Description

MantisBT 2.1.0 through 2.17.1 has a stored XSS in the Edit Filter page via a crafted project name.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MantisBT 2.1.0 through 2.17.1 has a stored XSS in the Edit Filter page via a crafted project name.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Edit Filter page (manage_filter_edit_page.php) of MantisBT versions 2.1.0 through 2.17.1 [1][2]. The bug occurs because the project_get_name() function output is echoed directly into the HTML without sanitization; a crafted project name can inject arbitrary JavaScript. The vulnerability is exploitable only when the attacker has access rights to create or modify projects (e.g., a user with manager or administrator privileges) and when Content Security Policy (CSP) settings permit inline script execution [1].

Exploitation

An attacker with sufficient privileges to create or rename a project (typically a manager or administrator) can insert malicious JavaScript into the project name field. When an administrator or other user views the Edit Filter page for a filter that references that project, the unescaped project name is rendered in the span element, causing the injected script to execute in the victim's browser context [3][4]. The attack requires no additional user interaction beyond navigating to the affected page.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, modification of page content, or further actions within the MantisBT application under the victim's privileges. The impact is limited by the attacker's need for project management rights and permissive CSP settings, but an administrator viewing the filter edit page is fully compromised.

Mitigation

The fix was committed in commit b9453cd7643b7c5b1b8c716b1dbd4d7d9571d1ec and released in MantisBT version 2.17.1 [3][4]. Users should upgrade to 2.17.1 or later. If upgrading is not possible, a workaround is to restrict project creation and rename privileges to trusted users only, and to enforce a strict Content Security Policy that blocks inline scripts.

References
  1. NVD - CVE-2018-17783
  2. GitHub - mantisbt/mantisbt: Mantis Bug Tracker (MantisBT)
  3. 0024814: CVE-2018-17783: XSS in manage_filter_edit_page.php
  4. Fix XSS in manage_filter_edit_page · mantisbt/mantisbt@b9453cd

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mantisbt/mantisbtPackagist
>= 2.1.0, < 2.17.22.17.2

Affected products

1

Patches

1
b9453cd7643b

Fix XSS in manage_filter_edit_page

https://github.com/mantisbt/mantisbtRoland BeckerSep 29, 2018via ghsa
commit
1 file changed · +2 2
  • manage_filter_edit_page.php+2 2 modified
    @@ -185,14 +185,14 @@
 								<?php if( ALL_PROJECTS != $t_filter_project_id ) { ?>
 								<label>
 									<input type="radio" class="ace input-sm" name="filter_project_id" value="<?php echo $t_filter_project_id ?>" <?php check_checked( ALL_PROJECTS != $t_filter_project_id ) ?>>
-									<span class="lbl padding-6"><?php echo lang_get( 'stored_project' ) . ' (' . project_get_name( $t_filter_project_id ) . ')' ?></span>
+									<span class="lbl padding-6"><?php echo lang_get( 'stored_project' ) . ' (' . string_display_line( project_get_name( $t_filter_project_id ) ) . ')' ?></span>
 								</label>
 								<br>
 								<?php } ?>
 								<?php if( $t_filter_project_id != $t_current_project_id ) { ?>
 								<label>
 									<input type="radio" class="ace input-sm" name="filter_project_id" value="<?php echo $t_current_project_id ?>">
-									<span class="lbl padding-6"><?php echo lang_get( 'current_project' ) . ' (' . project_get_name( $t_current_project_id ) . ')' ?></span>
+									<span class="lbl padding-6"><?php echo lang_get( 'current_project' ) . ' (' . string_display_line( project_get_name( $t_current_project_id ) ) . ')' ?></span>
 								</label>
 								<?php } ?>
 							</td>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.