Moderate severityNVD Advisory· Published Jun 24, 2022· Updated Aug 3, 2024
CVE-2022-33910
CVE-2022-33910
Description
An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 2.25.5 | 2.25.5 |
Affected products
2Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qghg-v7xv-q98qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-33910ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/266762193fc6c09ffc6b14f5a34c86eae3ebee20ghsaWEB
- mantisbt.org/blog/archives/mantisbt/719ghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/view.phpghsax_refsource_MISCWEB
- mantisbt.org/bugs/view.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.