CVE-2023-49802

CVSS v3 6.7 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

he LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one. This issue is fixed in version 2.0.1. As a workaround, one may utilize MantisBT's default Content Security Policy, which blocks script execution.

References

Link	Resource
https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286	Patch
https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10	Issue Tracking Patch
https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11	Issue Tracking
https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw	Vendor Advisory
https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286	Patch
https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10	Issue Tracking Patch
https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11	Issue Tracking
https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mantisbt:linked_custom_fields:*:*:*:*:*:mantisbt:*:*

History

21 Nov 2024, 08:33

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.1~~	v2 : unknown v3 : 6.7
References	~~() https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286 - Patch~~	() https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286 - Patch
References	~~() https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10 - Issue Tracking, Patch~~	() https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10 - Issue Tracking, Patch
References	~~() https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11 - Issue Tracking~~	() https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11 - Issue Tracking
References	~~() https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw - Vendor Advisory~~	() https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw - Vendor Advisory

Information

Published : 2023-12-11 22:15

Updated : 2024-11-21 08:33

NVD link : CVE-2023-49802

Mitre link : CVE-2023-49802

CVE.ORG link : CVE-2023-49802

JSON object : View

Products Affected

mantisbt

linked_custom_fields

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.7 /10