CVE-2019-15074
Description
Stored XSS in MantisBT Timeline allows arbitrary code execution via crafted attachment filename.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in MantisBT Timeline allows arbitrary code execution via crafted attachment filename.
Vulnerability
Overview
CVE-2019-15074 is a stored cross-site scripting (XSS) vulnerability in the Timeline feature of Mantis Bug Tracker (MantisBT) through version 2.21.1. The flaw resides in my_view_page.php, where the filename of an uploaded attachment is displayed without proper sanitization. An attacker can upload a file with a malicious filename containing JavaScript payloads, such as ">.jpg, which is then stored and executed in the browser of any user viewing the My View Page [1][2].
Exploitation
To exploit this vulnerability, an attacker must have the ability to upload attachments to an issue that is visible to other users. No special privileges beyond standard issue reporting are required. When a victim accesses the My View Page, the crafted filename is rendered in the timeline, triggering the XSS payload. The attack is effective only if the browser's Content Security Policy (CSP) settings permit inline script execution; however, many default configurations do not block such attacks [2].
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session. This can lead to data theft, session hijacking, defacement, or other malicious actions, depending on the application's CSP settings. The vulnerability affects all users who have visibility to the issue, making it a high-severity stored XSS [1][4].
Mitigation
The MantisBT project addressed this vulnerability in commit 9cee1971c498bbe0a72bca1c773fae50171d8c27, which sanitizes the filename using string_html_specialchars() before display [4]. Users should upgrade to MantisBT version 2.21.2 or later. No workaround is available for unpatched installations; administrators should apply the patch immediately [2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 2.21.2 | 2.21.2 |
Affected products
2- MantisBT/MantisBTdescription
Patches
19cee1971c498Fix XSS on timeline (CVE-2019-15074)
1 file changed · +1 −1
core/classes/IssueAttachmentTimelineEvent.class.php+1 −1 modified@@ -73,7 +73,7 @@ public function html() { . sprintf( lang_get( $t_string ), prepare_user_name( $this->user_id ), $t_bug_link, - $this->filename + string_html_specialchars( $this->filename ) ) . '</div>'; $t_html .= $this->html_end();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-gg4j-279j-22phghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15074ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/9cee1971c498bbe0a72bca1c773fae50171d8c27ghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/view.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.