Vulnerability Details CVE-2019-15074
The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 74.2%
CVSS Severity
CVSS v3 Score 9.6
CVSS v2 Score 6.8
References
Products affected by CVE-2019-15074
-
cpe:2.3:a:mantisbt:mantisbt:2.13.0
-
cpe:2.3:a:mantisbt:mantisbt:2.13.1
-
cpe:2.3:a:mantisbt:mantisbt:2.13.2
-
cpe:2.3:a:mantisbt:mantisbt:2.14.0
-
cpe:2.3:a:mantisbt:mantisbt:2.15.0
-
cpe:2.3:a:mantisbt:mantisbt:2.15.1
-
cpe:2.3:a:mantisbt:mantisbt:2.16.0
-
cpe:2.3:a:mantisbt:mantisbt:2.16.1
-
cpe:2.3:a:mantisbt:mantisbt:2.17.0
-
cpe:2.3:a:mantisbt:mantisbt:2.17.1
-
cpe:2.3:a:mantisbt:mantisbt:2.17.2
-
cpe:2.3:a:mantisbt:mantisbt:2.18.0
-
cpe:2.3:a:mantisbt:mantisbt:2.18.1
-
cpe:2.3:a:mantisbt:mantisbt:2.19.0
-
cpe:2.3:a:mantisbt:mantisbt:2.19.1
-
cpe:2.3:a:mantisbt:mantisbt:2.20.0
-
cpe:2.3:a:mantisbt:mantisbt:2.20.1
-
cpe:2.3:a:mantisbt:mantisbt:2.21.0
-
cpe:2.3:a:mantisbt:mantisbt:2.21.1