Total
                    115 CVE
                
            | CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 | 
|---|---|---|---|---|---|
| CVE-2015-1042 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 5.8 MEDIUM | N/A | 
| The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to login_page.php, a different vulnerability than CVE-2014-6316. | |||||
| CVE-2014-9759 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM | 
| Incomplete blacklist vulnerability in the config_is_private function in config_api.php in MantisBT 1.3.x before 1.3.0 allows remote attackers to obtain sensitive master salt configuration information via a SOAP API request. | |||||
| CVE-2014-9506 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 3.5 LOW | N/A | 
| MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. | |||||
| CVE-2014-9572 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 7.5 HIGH | N/A | 
| MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. | |||||
| CVE-2014-9388 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 5.0 MEDIUM | N/A | 
| bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter. | |||||
| CVE-2014-9270 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 4.3 MEDIUM | N/A | 
| Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field. | |||||
| CVE-2014-8553 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 5.0 MEDIUM | N/A | 
| The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. | |||||
| CVE-2014-9271 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2025-04-12 | 4.3 MEDIUM | 5.4 MEDIUM | 
| Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. | |||||
| CVE-2013-1810 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 2.1 LOW | N/A | 
| Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the summary_print_by_category function or (2) project name in the summary_print_by_project function. | |||||
| CVE-2014-6316 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 5.8 MEDIUM | N/A | 
| core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php. | |||||
| CVE-2014-8598 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 6.4 MEDIUM | N/A | 
| The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code. | |||||
| CVE-2014-8986 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 3.5 LOW | N/A | 
| Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987. | |||||
| CVE-2012-1118 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 4.3 MEDIUM | N/A | 
| The access_has_bug_level function in core/access_api.php in MantisBT before 1.2.9 does not properly restrict access when the private_bug_view_threshold is set to an array, which allows remote attackers to bypass intended restrictions and perform certain operations on private bug reports. | |||||
| CVE-2010-4349 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 5.0 MEDIUM | N/A | 
| admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to obtain sensitive information via an invalid db_type parameter, which reveals the installation path in an error message, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. | |||||
| CVE-2012-2692 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 3.6 LOW | N/A | 
| MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments. | |||||
| CVE-2011-3358 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 4.3 MEDIUM | N/A | 
| Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script or HTML via the (1) os, (2) os_build, or (3) platform parameter to (a) bug_report_page.php or (b) bug_update_advanced_page.php, related to use of the Projax library. | |||||
| CVE-2010-2574 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 2.1 LOW | N/A | 
| Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in MantisBT 1.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the name parameter in an Add Category action. | |||||
| CVE-2012-5522 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 5.5 MEDIUM | N/A | 
| MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. | |||||
| CVE-2010-4348 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 4.3 MEDIUM | N/A | 
| Cross-site scripting (XSS) vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to inject arbitrary web script or HTML via the db_type parameter, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. | |||||
| CVE-2011-3755 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 5.0 MEDIUM | N/A | 
| MantisBT 1.2.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by view_all_inc.php and certain other files. | |||||
