A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (myviewpage.php) and User Information (viewuserpage.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATHINFO in a URL, due to use of unsanitized $SERVER['PHP_SELF'] to generate URLs.