A cross-site scripting (XSS) vulnerability in viewfilterspage.php in MantisBT before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'view_type' parameter.