Total
109 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-13055 | 1 Mantisbt | 1 Mantisbt | 2018-10-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) in MantisBT 2.1.0 through 2.15.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO. | |||||
| CVE-2018-14504 | 1 Mantisbt | 1 Mantisbt | 2018-10-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in manage_filter_edit_page.php in MantisBT 2.x through 2.15.0. A cross-site scripting (XSS) vulnerability in the Edit Filter page allows execution of arbitrary code (if CSP settings permit it) when displaying a filter with a crafted name (e.g., 'foobar" onclick="alert(1)'). | |||||
| CVE-2018-6526 | 1 Mantisbt | 1 Mantisbt | 2018-04-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| view_all_bug_page.php in MantisBT 2.10.0-development before 2018-02-02 allows remote attackers to discover the full path via an invalid filter parameter, related to a filter_ensure_valid_filter call in current_user_api.php. | |||||
| CVE-2014-9624 | 1 Mantisbt | 1 Mantisbt | 2017-09-20 | 5.0 MEDIUM | 7.5 HIGH |
| CAPTCHA bypass vulnerability in MantisBT before 1.2.19. | |||||
| CVE-2014-9573 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 6.0 MEDIUM | N/A |
| SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. | |||||
| CVE-2014-9572 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 7.5 HIGH | N/A |
| MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. | |||||
| CVE-2014-9571 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. | |||||
| CVE-2014-9117 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 5.0 MEDIUM | N/A |
| MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0. | |||||
| CVE-2014-9281 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field. | |||||
| CVE-2014-8988 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 4.0 MEDIUM | N/A |
| MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL. | |||||
| CVE-2014-9280 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 7.5 HIGH | N/A |
| The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter. | |||||
| CVE-2014-8598 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 6.4 MEDIUM | N/A |
| The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code. | |||||
| CVE-2014-8553 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 5.0 MEDIUM | N/A |
| The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. | |||||
| CVE-2014-7146 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 7.5 HIGH | N/A |
| The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier. | |||||
| CVE-2014-6316 | 1 Mantisbt | 1 Mantisbt | 2017-09-07 | 5.8 MEDIUM | N/A |
| core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php. | |||||
| CVE-2015-2046 | 1 Mantisbt | 1 Mantisbt | 2017-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later before 1.2.20. | |||||
| CVE-2014-2238 | 1 Mantisbt | 1 Mantisbt | 2017-08-28 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter. | |||||
| CVE-2013-1883 | 1 Mantisbt | 1 Mantisbt | 2017-08-28 | 5.0 MEDIUM | N/A |
| Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type. | |||||
| CVE-2014-9701 | 1 Mantisbt | 1 Mantisbt | 2017-08-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter to permalink_page.php. | |||||
| CVE-2010-4349 | 1 Mantisbt | 1 Mantisbt | 2017-08-16 | 5.0 MEDIUM | N/A |
| admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to obtain sensitive information via an invalid db_type parameter, which reveals the installation path in an error message, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. | |||||