The vulnerability exists in Mantis Bug Tracker versions 2.28.1 and earlier, where the application uses the Referer header value directly to build a redirect URL without proper escaping. This flaw permits an attacker to inject arbitrary HTML into the response. Although modern browsers typically encode special characters in the Referer header, certain server configurations may still apply the raw value, potentially causing cache poisoning and enabling reflected XSS attacks. A successful exploitation could allow an attacker to execute scripts in the context of a logged‑in user, leading to theft of authentication cookies, session hijacking, or defacement of the site. The weakness is classified as a typical reflected XSS flaw (CWE‑79).

The affected product is Mantis Bug Tracker, provided by the mantisbt vendor. Only versions 2.28.1 and earlier are vulnerable; the issue was addressed in release 2.28.2. System administrators running any of the old releases must verify versions and plan an upgrade.

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is not available, suggesting no current statistical data on exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve an attacker crafting an HTTP request with a malicious Referer header targeting the tag update endpoint. If the server environment allows the raw Referer header to be reflected unescaped, exploitation will be straightforward; otherwise, the attack may be limited by browser encoding behavior. Provided the vulnerability is still present, organizations should treat it as moderate to high risk depending on their exposure to external requests.