Total
109 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2014-9117 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.0 MEDIUM | N/A |
MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0. | |||||
CVE-2014-9279 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.0 MEDIUM | N/A |
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL. | |||||
CVE-2013-1883 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.0 MEDIUM | N/A |
Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type. | |||||
CVE-2014-6387 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.0 MEDIUM | N/A |
gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind. | |||||
CVE-2014-9281 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field. | |||||
CVE-2014-9571 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. | |||||
CVE-2014-9280 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 7.5 HIGH | N/A |
The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter. | |||||
CVE-2014-8554 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 7.5 HIGH | N/A |
SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1609. | |||||
CVE-2014-9272 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2024-02-04 | 4.3 MEDIUM | N/A |
The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. | |||||
CVE-2014-8988 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 4.0 MEDIUM | N/A |
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL. | |||||
CVE-2014-7146 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 7.5 HIGH | N/A |
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier. | |||||
CVE-2014-1608 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2024-02-04 | 7.5 HIGH | N/A |
SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request. | |||||
CVE-2014-9573 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 6.0 MEDIUM | N/A |
SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. | |||||
CVE-2015-1042 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.8 MEDIUM | N/A |
The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to login_page.php, a different vulnerability than CVE-2014-6316. | |||||
CVE-2014-9506 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 3.5 LOW | N/A |
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. | |||||
CVE-2014-9572 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 7.5 HIGH | N/A |
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. | |||||
CVE-2014-9388 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.0 MEDIUM | N/A |
bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter. | |||||
CVE-2014-9270 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field. | |||||
CVE-2014-8553 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.0 MEDIUM | N/A |
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. | |||||
CVE-2014-9271 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2024-02-04 | 4.3 MEDIUM | 5.4 MEDIUM |
Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. |