EPSS
Percentile
72.7%
mantisbt is vulnerable to cross-site scripting (XSS). The attack exists because the function string_insert_hrefs does not check the protocol, allowing an attacker to inject ‘javascript://’ to execute arbitrary code.
string_insert_hrefs
seclists.org/oss-sec/2014/q4/867
seclists.org/oss-sec/2014/q4/902
secunia.com/advisories/62101
www.debian.org/security/2015/dsa-3120
bugzilla.redhat.com/show_bug.cgi?id=1170193
github.com/mantisbt/mantisbt/commit/05378e00
www.mantisbt.org/bugs/view.php?id=17297