Total
109 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-1810 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 2.1 LOW | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the summary_print_by_category function or (2) project name in the summary_print_by_project function. | |||||
CVE-2014-6316 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.8 MEDIUM | N/A |
core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php. | |||||
CVE-2014-8598 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 6.4 MEDIUM | N/A |
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code. | |||||
CVE-2014-8986 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987. | |||||
CVE-2012-1118 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 4.3 MEDIUM | N/A |
The access_has_bug_level function in core/access_api.php in MantisBT before 1.2.9 does not properly restrict access when the private_bug_view_threshold is set to an array, which allows remote attackers to bypass intended restrictions and perform certain operations on private bug reports. | |||||
CVE-2012-2692 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 3.6 LOW | N/A |
MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments. | |||||
CVE-2012-5522 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.5 MEDIUM | N/A |
MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. | |||||
CVE-2012-1120 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 3.6 LOW | N/A |
The SOAP API in MantisBT before 1.2.9 does not properly enforce the bugnote_allow_user_edit_delete and delete_bug_threshold permissions, which allows remote authenticated users with read and write SOAP API privileges to delete arbitrary bug reports and bug notes. | |||||
CVE-2012-1122 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 3.6 LOW | N/A |
bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the report_bug_threshold permission of the receiving project when moving a bug report, which allows remote authenticated users with the report_bug_threshold and move_bug_threshold privileges for a project to bypass intended access restrictions and move bug reports to a different project. | |||||
CVE-2012-1121 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 4.9 MEDIUM | N/A |
MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1) modify or (2) delete global categories. | |||||
CVE-2012-5523 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.5 MEDIUM | N/A |
core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. | |||||
CVE-2012-1119 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 6.4 MEDIUM | N/A |
MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection. | |||||
CVE-2013-4460 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject arbitrary web script or HTML via a project name. | |||||
CVE-2012-2691 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 7.5 HIGH | N/A |
The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request. | |||||
CVE-2012-1123 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 7.5 HIGH | N/A |
The mci_check_login function in api/soap/mc_api.php in the SOAP API in MantisBT before 1.2.9 allows remote attackers to bypass authentication via a null password. | |||||
CVE-2010-4349 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.0 MEDIUM | N/A |
admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to obtain sensitive information via an invalid db_type parameter, which reveals the installation path in an error message, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. | |||||
CVE-2011-3358 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script or HTML via the (1) os, (2) os_build, or (3) platform parameter to (a) bug_report_page.php or (b) bug_update_advanced_page.php, related to use of the Projax library. | |||||
CVE-2010-2574 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 2.1 LOW | N/A |
Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in MantisBT 1.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the name parameter in an Add Category action. | |||||
CVE-2010-4348 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to inject arbitrary web script or HTML via the db_type parameter, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. | |||||
CVE-2011-3755 | 1 Mantisbt | 1 Mantisbt | 2024-02-04 | 5.0 MEDIUM | N/A |
MantisBT 1.2.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by view_all_inc.php and certain other files. |