few minutes ago I found an old nice persistent XSS in latest version of Mantis Bug Tracker (1.2.12).
|Persistent XSS for admin|
This vulnerability exists for admin user, but same could be in other part of this webapp.
Update : 18.01.2013
Few minutes ago I spoke again with Developer Team.
After this little chat I have surprise for you: new Mantis BT is comming! :)
As you can see now (in comments) MantisBT is available for download and soon you can get
brand new version. Patch for this vulnerability, for now is available here .
Once again I would like to thanks MantisBT Team for a fast reply, great knowledge and excellent work! :)