CVE-2022-33910 Information

Description

An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment file_download.php opens the SVG document in a browser tab instead of downloading it as a file causing the JavaScript code to execute.

Reference

https://mantisbt.org/blog/archives/mantisbt/719 https://mantisbt.org/bugs/view.php?id=29135 https://mantisbt.org/bugs/view.php?id=30384