CVE-2018-6382

{"id": "CVE-2018-6382", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2018-01-30T06:29:00.320", "references": [{"url": "http://archive.is/https:/mantisbt.org/bugs/view.php?id=23908", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://mantisbt.org/bugs/view.php?id=23908", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "MantisBT 2.10.0 allows local users to conduct SQL Injection attacks via the vendor/adodb/adodb-php/server.php sql parameter in a request to the 127.0.0.1 IP address. NOTE: the vendor disputes the significance of this report because server.php is intended to execute arbitrary SQL statements on behalf of authenticated users from 127.0.0.1, and the issue does not have an authentication bypass"}, {"lang": "es", "value": "** EN DISPUTA ** MantisBT 2.10.0 permite que usuarios locales lleven a cabo ataques de inyecci\u00f3n SQL mediante el par\u00e1metro sql en vendor/adodb/adodb-php/server.php en una petici\u00f3n a la direcci\u00f3n IP 127.0.0.1. NOTA: el fabricante discute la importancia de este informe porque se supone que server.php debe ejecutar instrucciones SQL arbitrarias en nombre de usuarios autenticados de 127.0.0.1 y que este problema no tiene una omisi\u00f3n de autenticaci\u00f3n."}], "lastModified": "2024-08-05T06:16:25.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A6D63BB-4B3B-4A6B-8B4B-EA09162CE1A3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}