Vulnerabilities > CVE-2023-49802 - Unspecified vulnerability in Mantisbt Linked Custom Fields 1.0/1.0.1/2.0.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one. This issue is fixed in version 2.0.1. As a workaround, one may utilize MantisBT's default Content Security Policy, which blocks script execution.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
References
- https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286
- https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286
- https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10
- https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10
- https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11
- https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11
- https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw
- https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw