CVE-2016-5364 Mantisbt CVE debrief

Who should care

Teams operating MantisBT instances at version 1.2.19 or earlier, especially administrators, application owners, and security teams responsible for web application patching and validation.

Technical summary

The vulnerability is an XSS condition in manage_custom_field_edit_page.php triggered through the return parameter. Because the payload is handled in a web page context, an attacker can cause script or HTML to be rendered in a victim's browser. NVD classifies the weakness as CWE-79 and the CVSS vector shows network attackability, low attack complexity, no attacker privileges, and a user-interaction requirement.

Defensive priority

Medium priority. The issue is remotely reachable and can affect browser sessions and application trust boundaries, but it requires user interaction and NVD rates it as CVSS 6.1.

Recommended defensive actions

• Inventory MantisBT deployments and confirm whether any instance is running version 1.2.19 or earlier.
• Apply the vendor fixes referenced by the official advisory and patches, or upgrade to a release newer than the vulnerable range.
• Review custom field editing and redirect/return handling for proper output encoding and HTML escaping.
• After remediation, verify the fix in a staging environment and retest the affected page path under normal user workflows.

Evidence notes

The supplied NVD record states that MantisBT 1.2.19 and earlier are vulnerable and maps the issue to CWE-79. The record also provides a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Official references include the oss-security mailing list post, two GitHub patch commits, and the MantisBT issue tracker entry, all tied to the same vulnerability.

Official resources