Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:mantisbt:mantisbt:0.19.3:*:*:*:*:*:*:*
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2018-6526 |
view_all_bug_page.php in MantisBT 2.10.0-development before 2018-02-02 allows remote attackers to discover the full path via an invalid filter parameter, related to a filter_ensure_valid_filter call in current_user_api.php. Published: February 02, 2018; 4:29:00 AM -0500 |
V3.0: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2014-9624 |
CAPTCHA bypass vulnerability in MantisBT before 1.2.19. Published: September 12, 2017; 10:29:00 AM -0400 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2014-9701 |
Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter to permalink_page.php. Published: August 09, 2017; 2:29:00 PM -0400 |
V3.0: 6.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2015-5059 |
The "Project Documentation" feature in MantisBT 1.2.19 and earlier, when the threshold to access files ($g_view_proj_doc_threshold) is set to ANYBODY, allows remote authenticated users to download attachments linked to arbitrary private projects via a file id number in the file_id parameter to file_download.php. Published: August 01, 2017; 10:29:00 AM -0400 |
V3.0: 5.3 MEDIUM V2.0: 3.5 LOW |
CVE-2017-7620 |
MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI. Published: May 21, 2017; 10:29:00 AM -0400 |
V3.0: 6.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-7615 |
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php. Published: April 16, 2017; 10:59:00 AM -0400 |
V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2017-7222 |
A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration. This requires privileged access to MantisBT configuration management pages (i.e., administrator access rights) or altering the system configuration file (config_inc.php). Published: March 22, 2017; 1:59:00 AM -0400 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-6799 |
A cross-site scripting (XSS) vulnerability in view_filters_page.php in MantisBT before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'view_type' parameter. Published: March 10, 2017; 5:59:00 AM -0500 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-6797 |
A cross-site scripting (XSS) vulnerability in bug_change_status_page.php in MantisBT before 1.3.7 and 2.x before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'action_type' parameter. Published: March 09, 2017; 7:59:00 PM -0500 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2016-7111 |
MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. Published: February 17, 2017; 12:59:01 PM -0500 |
V3.0: 4.7 MEDIUM V2.0: 2.6 LOW |
CVE-2016-5364 |
Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter. Published: February 17, 2017; 12:59:00 PM -0500 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2016-6837 |
Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.0-beta1 allows remote attackers to inject arbitrary web script or HTML via the 'view_type' parameter. Published: January 10, 2017; 10:59:00 AM -0500 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2014-9573 |
SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. Published: January 26, 2015; 10:59:12 AM -0500 |
V3.x:(not available) V2.0: 6.0 MEDIUM |
CVE-2014-9572 |
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. Published: January 26, 2015; 10:59:11 AM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2014-9571 |
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. Published: January 26, 2015; 10:59:10 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-9506 |
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. Published: January 04, 2015; 4:59:03 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-9388 |
bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter. Published: December 17, 2014; 2:59:08 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-8553 |
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. Published: December 17, 2014; 2:59:06 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-6316 |
core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php. Published: December 12, 2014; 6:59:03 AM -0500 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2014-9281 |
Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field. Published: December 09, 2014; 6:59:12 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |