CVE-2020-35571 in MantisBT
Summary
by MITRE • 02/22/2021
An issue was discovered in MantisBT through 2.24.3. In the helper_ensure_confirmed call in manage_custom_field_update.php, the custom field name is not sanitized. This may be problematic depending on CSP settings.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/03/2021
The vulnerability identified as CVE-2020-35571 affects MantisBT version 2.24.3 and earlier, representing a security flaw in the custom field handling mechanism within the application's management interface. This issue resides in the manage_custom_field_update.php file where the helper_ensure_confirmed function fails to properly sanitize the custom field name parameter. The absence of input sanitization creates a potential vector for malicious actors to manipulate the application's behavior through crafted field names, particularly when the application operates under specific Content Security Policy configurations.
The technical nature of this vulnerability stems from insufficient input validation and sanitization practices within the application's custom field management functionality. When the helper_ensure_confirmed function processes custom field names, it does not implement proper sanitization measures to prevent potentially harmful characters or sequences from being processed. This oversight allows attackers to inject malicious content that could be interpreted by the application in unintended ways. The vulnerability becomes particularly concerning when applications utilize Content Security Policy directives, as the unsanitized field names may interact with CSP settings in ways that could lead to bypasses or exploitation of security controls.
The operational impact of this vulnerability extends beyond simple data integrity concerns, potentially enabling attackers to manipulate the application's behavior through crafted custom field names. Depending on the specific CSP configuration in place, an attacker might be able to leverage this vulnerability to perform cross-site scripting attacks or other malicious activities that could compromise user sessions or access controls. The vulnerability's severity is amplified when the application's CSP settings are permissive or when the unsanitized field names interact with other components of the application that process user input. This creates a potential attack surface that could be exploited to escalate privileges or gain unauthorized access to sensitive application functionality.
Mitigation strategies for this vulnerability should focus on implementing proper input sanitization and validation within the helper_ensure_confirmed function in manage_custom_field_update.php. Security measures should include sanitizing all user-provided field names before processing them, ensuring that special characters are properly escaped or removed. Organizations should also review their Content Security Policy configurations to minimize the potential impact of such vulnerabilities, implementing strict CSP directives that prevent malicious scripts from executing. The recommended approach involves upgrading to patched versions of MantisBT where the sanitization issue has been addressed, along with implementing comprehensive input validation across all user-facing application components that handle custom field data. This vulnerability aligns with CWE-116, which addresses the improper encoding or escaping of output, and may relate to ATT&CK technique T1059.007 for script injection attacks that could be facilitated through this input sanitization weakness.