Vulnerability Description
The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one. This issue is fixed in version 2.0.1. As a workaround, one may utilize MantisBT's default Content Security Policy, which blocks script execution.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mantisbt | Linked Custom Fields | < 2.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18Patch
- https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10Issue TrackingPatch
- https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11Issue Tracking
- https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-Vendor Advisory
- https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18Patch
- https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10Issue TrackingPatch
- https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11Issue Tracking
- https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-Vendor Advisory
FAQ
What is CVE-2023-49802?
CVE-2023-49802 is a vulnerability with a CVSS score of 6.7 (MEDIUM). The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomF...
How severe is CVE-2023-49802?
CVE-2023-49802 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-49802?
Check the references section above for vendor advisories and patch information. Affected products include: Mantisbt Linked Custom Fields.