MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values
Description
Improper escaping of a textarea custom field's contents in the Update Issue page (bug_update_page.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded.
Impact
Session theft leading to admin account takeover, full project data access.
- Precondition: A textarea-type custom field must be configured for the project
- Attacker: Authenticated user with bug report permission (low privilege)
- Victim: Any user viewing the bug edit form, including administrators
### Patches - 5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
Workarounds
The default Content-Security Policy will block script execution.
### References - https://mantisbt.org/bugs/view.php?id=37003 - This is related to CVE-2024-34081.
Credits
Thanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it. - Thanks to Nozomu Sasaki (Paul) (@morimori-dev) - Tristan Madani (@TristanInSec) from Talence Security
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in MantisBT's textarea custom field allows authenticated low-privilege attackers to execute arbitrary JavaScript when administrators view bug edit forms, leading to session theft and potential admin takeover.
The vulnerability lies in the cfdef_input_textarea() function in core/cfdefs/cfdef_standard.php. Unlike the text field function which uses string_attribute() to escape values, the textarea field directly echoes the custom field value without HTML escaping, allowing injection of arbitrary HTML and JavaScript. [2]
An attacker with bug report permission (low privilege) can exploit this by injecting a payload such as </textarea><img src=x onerror="alert(document.domain)"><textarea> into a textarea-type custom field. When any user, including an administrator, opens the bug edit form (bug_update_page.php), the payload breaks out of the <textarea> tag and executes the injected script. [2] The attack requires that a textarea custom field be configured for the project. [3]
Successful exploitation can lead to session theft, as the attacker can steal cookies. If the victim is an administrator, this may result in full admin account takeover and access to all project data. [3]
The issue is fixed in commit 5fec0f4, which replaces the direct output with string_textarea() for proper escaping. Users should upgrade to MantisBT version 2.28.2 or apply the patch. [4] The default Content-Security Policy may block script execution, but this should not be relied upon as a complete mitigation. [3]
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 2.28.2 | 2.28.2 |
Affected products
1Patches
15fec0f448b7aEscape textarea custom field for display
1 file changed · +1 −1
core/cfdefs/cfdef_standard.php+1 −1 modified@@ -495,7 +495,7 @@ function cfdef_input_textarea( array $p_field_def, $p_custom_field_value, $p_req ? $p_field_def['length_max'] : config_get_global( 'max_textarea_length' ), '"'; - echo ' cols="70" rows="8">', $p_custom_field_value, '</textarea>'; + echo ' cols="70" rows="8">', string_textarea( $p_custom_field_value ), '</textarea>'; } /**
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.