CVE-2021-43257

HIGH

MantisBT <2.25.3 - Code Injection

Title source: llm

Description

Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.

References (2)

[Exploit, Issue Tracking, Patch, Vendor Advisory] https://www.mantisbt.org/bugs/view.php?id=29130

[Patch, Third Party Advisory] https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e

View Patch ZIP pw:eip

Scores

CVSS v3 7.8

EPSS 0.0072

EPSS Percentile 72.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (2)

mantisbt/mantisbt < 2.25.3

mantisbt/mantisbt 0 - 2.25.3Packagist

Published Apr 14, 2022

Tracked Since Feb 18, 2026