← Volver a CVEs

CVE-2020-25288

MEDIUM

4.8

Descripcion

An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript.

Detalles CVE

Puntuacion CVSS v3.14.8

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosHIGH

Interaccion usuarioREQUIRED

Publicado9/30/2020

Ultima modificacion11/21/2024

Fuentenvd

Avistamientos honeypot0

Productos afectados

mantisbt:mantisbt

Debilidades (CWE)

CWE-79

Referencias

http://github.com/mantisbt/mantisbt/commit/221cf323f16a9738a5b27aaba94758f11281d85c(cve@mitre.org)

https://mantisbt.org/bugs/view.php?id=27275(cve@mitre.org)

http://github.com/mantisbt/mantisbt/commit/221cf323f16a9738a5b27aaba94758f11281d85c(af854a3a-2127-422b-91ae-364da2661108)

https://mantisbt.org/bugs/view.php?id=27275(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.