Vulnerabilities (CVE)

Vendor filter

Mantisbt Subscribe

Product filter

Mantisbt Subscribe

Filter

85 total CVE
CVE Vendors Products Updated CVSS
CVE-2014-9572 1 Mantisbt 1 Mantisbt 2017-09-08 7.5
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.
CVE-2014-9571 1 Mantisbt 1 Mantisbt 2017-09-08 4.3
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.
CVE-2014-9281 1 Mantisbt 1 Mantisbt 2017-09-08 4.3
Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field.
CVE-2014-9280 1 Mantisbt 1 Mantisbt 2017-09-08 7.5
The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter.
CVE-2014-9279 1 Mantisbt 1 Mantisbt 2017-09-08 5.0
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response...
CVE-2014-9270 1 Mantisbt 1 Mantisbt 2017-09-08 4.3
Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field.
CVE-2014-9117 1 Mantisbt 1 Mantisbt 2017-09-08 5.0
MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as...
CVE-2014-8988 1 Mantisbt 1 Mantisbt 2017-09-08 4.0
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not...
CVE-2014-8598 1 Mantisbt 1 Mantisbt 2017-09-08 6.4
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be...
CVE-2014-8554 1 Mantisbt 1 Mantisbt 2017-09-08 7.5
SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. NOTE: this vulnerability...
CVE-2014-8553 1 Mantisbt 1 Mantisbt 2017-09-08 5.0
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4)...
CVE-2014-7146 1 Mantisbt 1 Mantisbt 2017-09-08 7.5
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the...
CVE-2014-6316 1 Mantisbt 1 Mantisbt 2017-09-08 5.8
core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.
CVE-2015-2046 1 Mantisbt 1 Mantisbt 2017-09-01 4.3
Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later before 1.2.20.
CVE-2014-2238 1 Mantisbt 1 Mantisbt 2017-08-29 6.5
SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter.
CVE-2013-1883 1 Mantisbt 1 Mantisbt 2017-08-29 5.0
Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type.
CVE-2012-5523 1 Mantisbt 1 Mantisbt 2017-08-29 5.5
core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing...
CVE-2012-2691 1 Mantisbt 1 Mantisbt 2017-08-29 7.5
The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request.
CVE-2014-9701 1 Mantisbt 1 Mantisbt 2017-08-17 4.3
Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter to permalink_page.php.
CVE-2010-4349 1 Mantisbt 1 Mantisbt 2017-08-17 5.0
admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to obtain sensitive information via an invalid db_type parameter, which reveals the installation path in an error message, related to an unsafe call by MantisBT to a...