MantisBT: master-2.25 262ecdde

Author Committer Branch Timestamp Parent
dregad dregad master-2.25 2022-06-13 06:09 master-2.25 0d1d7b65
Affected Issues  0030384: CVE-2022-33910: Stored XSS via SVG file upload
Changeset

Prevent script execution when viewing SVG files

A cross-site scripting vulnerability allows remote attackers to attach
maliciously crafted SVG files to issue reports or bugnotes. When a user
or an admin clicks on the attachment, file_download.php will it open the
SVG in a browser tab instead of downloading it as a file, causing the
javascript to execute. This risk is mitigated by MantisBT's default
Content Security Policy, which prevents execution of inline scripts.

This fixes the issue by forcing download as attachment for files of
image/svg+xml mime type.

Devendra Bhatla and Febin Mon Saji <febinrev811@gmail.com> both and
independently reported this vulnerability.

Fixes 0030384, CVE-2022-33910

mod - file_download.php Diff File