Mantisbt: >> Mantisbt >> 0.19.1 Security Vulnerabilities
Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.0-beta1 allows remote attackers to inject arbitrary web script or HTML via the 'view_type' parameter.
CVSS Score
6.1
EPSS Score
0.009
Published
2017-01-10
SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie.
CVSS Score
6.0
EPSS Score
0.004
Published
2015-01-26
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.
CVSS Score
7.5
EPSS Score
0.009
Published
2015-01-26
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.
CVSS Score
4.3
EPSS Score
0.004
Published
2015-01-26
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.
CVSS Score
3.5
EPSS Score
0.002
Published
2015-01-04
bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter.
CVSS Score
5.0
EPSS Score
0.004
Published
2014-12-17
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request.
CVSS Score
5.0
EPSS Score
0.006
Published
2014-12-17
core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.
CVSS Score
5.8
EPSS Score
0.006
Published
2014-12-12
Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field.
CVSS Score
4.3
EPSS Score
0.006
Published
2014-12-09
The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter.
CVSS Score
7.5
EPSS Score
0.01
Published
2014-12-08