Vulnerabilities (CVE)

Vendor filter

Mantisbt Subscribe

Product filter

Mantisbt Subscribe

Filter

85 total CVE
CVE Vendors Products Updated CVSS
CVE-2014-9269 2 Debian, Mantisbt 2 Debian Linux, Mantisbt 2017-01-03 2.6
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.
CVE-2014-9089 2 Debian, Mantisbt 2 Debian Linux, Mantisbt 2017-01-03 7.5
Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to view_all_set.php.
CVE-2014-8986 1 Mantisbt 1 Mantisbt 2017-01-03 3.5
Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a...
CVE-2014-9759 1 Mantisbt 1 Mantisbt 2016-12-03 5.0
Incomplete blacklist vulnerability in the config_is_private function in config_api.php in MantisBT 1.3.x before 1.3.0 allows remote attackers to obtain sensitive master salt configuration information via a SOAP API request.
CVE-2015-1042 1 Mantisbt 1 Mantisbt 2015-11-27 5.8
The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash)...
CVE-2014-8987 1 Mantisbt 1 Mantisbt 2015-08-25 3.5
Cross-site scripting (XSS) vulnerability in the "set configuration" box in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via the...
CVE-2014-6387 1 Mantisbt 1 Mantisbt 2014-10-23 5.0
gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind.
CVE-2013-1810 1 Mantisbt 1 Mantisbt 2014-05-16 2.1
Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the...
CVE-2013-0197 1 Mantisbt 1 Mantisbt 2014-05-16 4.3
Cross-site scripting (XSS) vulnerability in the filter_draw_selection_area2 function in core/filter_api.php in MantisBT 1.2.12 before 1.2.13 allows remote attackers to inject arbitrary web script or HTML via the match_type parameter to bugs/search.php.
CVE-2013-4460 1 Mantisbt 1 Mantisbt 2014-01-10 3.5
Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject arbitrary web script or HTML via a project name.
CVE-2012-2692 1 Mantisbt 1 Mantisbt 2013-08-27 3.6
MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete...
CVE-2012-1123 1 Mantisbt 1 Mantisbt 2013-08-27 7.5
The mci_check_login function in api/soap/mc_api.php in the SOAP API in MantisBT before 1.2.9 allows remote attackers to bypass authentication via a null password.
CVE-2012-1122 1 Mantisbt 1 Mantisbt 2013-08-27 3.6
bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the report_bug_threshold permission of the receiving project when moving a bug report, which allows remote authenticated users with the report_bug_threshold and...
CVE-2012-1121 1 Mantisbt 1 Mantisbt 2013-08-27 4.9
MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1) modify or (2) delete global categories.
CVE-2012-1120 1 Mantisbt 1 Mantisbt 2013-08-27 3.6
The SOAP API in MantisBT before 1.2.9 does not properly enforce the bugnote_allow_user_edit_delete and delete_bug_threshold permissions, which allows remote authenticated users with read and write SOAP API privileges to delete arbitrary bug...
CVE-2012-1119 1 Mantisbt 1 Mantisbt 2013-08-27 6.4
MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection.
CVE-2012-1118 1 Mantisbt 1 Mantisbt 2013-08-27 4.3
The access_has_bug_level function in core/access_api.php in MantisBT before 1.2.9 does not properly restrict access when the private_bug_view_threshold is set to an array, which allows remote attackers to bypass intended restrictions and perform...
CVE-2011-3755 1 Mantisbt 1 Mantisbt 2013-08-27 5.0
MantisBT 1.2.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by view_all_inc.php and certain other files.
CVE-2011-2938 1 Mantisbt 1 Mantisbt 2013-08-27 4.3
Multiple cross-site scripting (XSS) vulnerabilities in filter_api.php in MantisBT before 1.2.7 allow remote attackers to inject arbitrary web script or HTML via a parameter, as demonstrated by the project_id parameter to search.php.
CVE-2010-4350 1 Mantisbt 1 Mantisbt 2013-08-27 5.1
Directory traversal vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the db_type parameter, related to an unsafe call by MantisBT to...