CVE-2020-25288 — MantisBT XXS where a Custom Field with a crafted Regular Expression property is

Description

An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript.

How to fix CVE-2020-25288

To remediate CVE-2020-25288, upgrade the affected package to a fixed version below.

—upgrade to 2.24.3 or later

Is CVE-2020-25288 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.23.0, < 2.24.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-25288
PATCHgithub.com/mantisbt/mantisbt
WEBgithub.com/mantisbt/mantisbt/commit/221cf323f16a9738a5b27aaba94758f11281d85c
WEBgithub.com/mantisbt/mantisbt/commit/221cf323f16a9738a5b27aaba94758f11281d85c