CVE-2013-4460

low

Published 2014-01-10 · Modified 2026-04-29

CVSS v3

—

CVSS v2

3.5

VIR risk

3.5

Description

Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject arbitrary web script or HTML via a project name.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://github.com/mantisbt/mantisbt/commit/0002d106a6cd35cb0a6fe03246531a4e3f32c9d0#diff-4122320b011a3291cd45da074a867076

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/55305

Application impact

Vendor	Product	Versions
mantisbt	mantisbt	`1.0.0`
mantisbt	mantisbt	`1.0.1`
mantisbt	mantisbt	`1.0.2`
mantisbt	mantisbt	`1.0.3`
mantisbt	mantisbt	`1.0.4`
mantisbt	mantisbt	`1.0.5`
mantisbt	mantisbt	`1.0.6`
mantisbt	mantisbt	`1.0.7`
mantisbt	mantisbt	`1.0.8`
mantisbt	mantisbt	`1.0.9`
mantisbt	mantisbt	`1.1.0`
mantisbt	mantisbt	`1.1.1`
mantisbt	mantisbt	`1.1.2`
mantisbt	mantisbt	`1.1.3`
mantisbt	mantisbt	`1.1.4`
mantisbt	mantisbt	`1.1.5`
mantisbt	mantisbt	`1.1.6`
mantisbt	mantisbt	`1.1.7`
mantisbt	mantisbt	`1.1.8`
mantisbt	mantisbt	`1.1.9`
mantisbt	mantisbt	`1.2.0`
mantisbt	mantisbt	`1.2.1`
mantisbt	mantisbt	`1.2.2`
mantisbt	mantisbt	`1.2.3`
mantisbt	mantisbt	`1.2.4`
mantisbt	mantisbt	`1.2.5`
mantisbt	mantisbt	`1.2.6`
mantisbt	mantisbt	`1.2.7`
mantisbt	mantisbt	`1.2.8`
mantisbt	mantisbt	`1.2.9`
mantisbt	mantisbt	`1.2.10`
mantisbt	mantisbt	`1.2.11`
mantisbt	mantisbt	`1.2.13`
mantisbt	mantisbt	`1.2.14`
mantisbt	mantisbt	`1.2.15`

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.