CVE-2022-28508 in MantisBT
Summary
by MITRE • 05/04/2022
An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/10/2025
The vulnerability identified as CVE-2022-28508 represents a cross-site scripting weakness within the MantisBT bug tracking system, specifically affecting versions prior to 2.25.2. This issue resides in the browser_search_plugin.php component which handles search functionality for the web interface. The flaw manifests when the application fails to properly sanitize user-supplied input parameters, particularly the return parameter that is used to redirect users after search operations. When attackers craft malicious payloads and inject them into this parameter, the unsanitized output gets rendered into a hidden HTML input field, creating an execution vector for malicious scripts.
This vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically representing a stored XSS variant where the malicious payload is embedded within the application's response and executed when other users access the affected page. The technical implementation involves the application's failure to implement proper output encoding or sanitization routines before incorporating user-provided data into HTML contexts. The return parameter typically contains URL paths or query strings that the application uses for redirection purposes, making it a prime target for injection attacks. When the parameter value is directly inserted into a hidden input field without proper escaping, any script tags or malicious JavaScript code contained within the parameter will be executed in the context of the victim's browser session.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, steal authentication tokens, redirect users to malicious domains, or perform actions on behalf of authenticated users. Attackers can leverage this weakness to create persistent XSS payloads that remain active until the application is updated or the affected pages are cleared from browser caches. The hidden input field context provides a stealthy execution environment where malicious code can operate without immediate visual indicators, making detection more challenging for end users and security monitoring systems. This vulnerability particularly affects organizations using MantisBT for collaborative software development and bug tracking, where users may have elevated privileges and access to sensitive project information.
Mitigation strategies for CVE-2022-28508 should focus on immediate patching to version 2.25.2 or later, which contains the necessary input sanitization fixes. Organizations should implement comprehensive output encoding for all user-supplied parameters before rendering them in HTML contexts, particularly in hidden input fields and other DOM elements. The application should employ context-aware escaping mechanisms that properly encode data based on the target HTML context, implementing HTML entity encoding for attributes and JavaScript escaping for script contexts. Security teams should conduct thorough input validation and sanitization checks across all web application components, ensuring that any parameter used in dynamic HTML generation undergoes proper security filtering. Additionally, implementing Content Security Policy headers can provide an additional layer of defense against XSS attacks by restricting script execution and limiting the sources from which scripts can be loaded, thereby reducing the impact of successful exploitation attempts.