CVE-2010-2574 — MantisBT Cross-site Scripting vulnerability

Description

Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in MantisBT 1.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the name parameter in an Add Category action.

How to fix CVE-2010-2574

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Packagist/mantisbt/mantisbt—no fix listed

Is CVE-2010-2574 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2010-2574
WEBlists.fedoraproject.org/pipermail/package-announce/2010-September/048548.html
WEBlists.fedoraproject.org/pipermail/package-announce/2010-September/048639.html
WEBlists.fedoraproject.org/pipermail/package-announce/2010-September/048659.html