Vulnerabilities (CVE)

Vendor filter

Mantisbt Subscribe

Product filter

Mantisbt Subscribe

Filter

85 total CVE
CVE Vendors Products Updated CVSS
CVE-2017-7615 1 Mantisbt 1 Mantisbt 2017-08-16 6.5
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
CVE-2017-12062 1 Mantisbt 1 Mantisbt 2017-08-15 4.3
An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.
CVE-2017-12061 1 Mantisbt 1 Mantisbt 2017-08-15 4.3
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to...
CVE-2017-12419 1 Mantisbt 1 Mantisbt 2017-08-09 4.0
If, after successful installation of MantisBT through 2.5.2 on MySQL/MariaDB, the administrator does not remove the 'admin' directory (as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide), and the MySQL...
CVE-2015-5059 1 Mantisbt 1 Mantisbt 2017-08-07 3.5
The "Project Documentation" feature in MantisBT 1.2.19 and earlier, when the threshold to access files ($g_view_proj_doc_threshold) is set to ANYBODY, allows remote authenticated users to download attachments linked to arbitrary private projects...
CVE-2017-7309 1 Mantisbt 1 Mantisbt 2017-07-12 3.5
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. This is fixed...
CVE-2017-7241 1 Mantisbt 1 Mantisbt 2017-07-12 3.5
A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection...
CVE-2017-6973 1 Mantisbt 1 Mantisbt 2017-07-12 3.5
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter. This is fixed in 1.3.8, 2.1.2, and 2.2.2.
CVE-2017-7897 1 Mantisbt 1 Mantisbt 2017-07-11 4.3
A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (my_view_page.php) and User Information (view_user_page.php) pages, allows remote attackers to inject arbitrary code (if CSP...
CVE-2017-7620 1 Mantisbt 1 Mantisbt 2017-07-08 4.3
MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname,...
CVE-2017-7222 1 Mantisbt 1 Mantisbt 2017-03-23 4.3
A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration. This requires...
CVE-2016-7111 1 Mantisbt 1 Mantisbt 2017-02-22 2.6
MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
CVE-2016-5364 1 Mantisbt 1 Mantisbt 2017-02-22 4.3
Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter.
CVE-2016-6837 1 Mantisbt 1 Mantisbt 2017-01-11 4.3
Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.0-beta1 allows remote attackers to inject arbitrary web script or HTML via the 'view_type' parameter.
CVE-2014-1609 2 Debian, Mantisbt 2 Debian Linux, Mantisbt 2017-01-07 7.5
Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2)...
CVE-2014-1608 2 Debian, Mantisbt 2 Debian Linux, Mantisbt 2017-01-07 7.5
SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request.
CVE-2014-9506 1 Mantisbt 1 Mantisbt 2017-01-03 3.5
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.
CVE-2014-9388 1 Mantisbt 1 Mantisbt 2017-01-03 5.0
bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter.
CVE-2014-9272 2 Debian, Mantisbt 2 Debian Linux, Mantisbt 2017-01-03 4.3
The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol.
CVE-2014-9271 2 Debian, Mantisbt 2 Debian Linux, Mantisbt 2017-01-03 4.3
Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as...