Mantisbt

Mantisbt

115 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5

CVE-2014-8553

  • EPSS 0.64%
  • Veröffentlicht 17.12.2014 19:59:06
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_ge...

5.8

CVE-2014-6316

Exploit
  • EPSS 0.61%
  • Veröffentlicht 12.12.2014 11:59:03
  • Zuletzt bearbeitet 12.04.2025 10:46:40

core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.

4.3

CVE-2014-9281

  • EPSS 0.56%
  • Veröffentlicht 09.12.2014 23:59:12
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field.

7.5

CVE-2014-9280

Exploit
  • EPSS 1%
  • Veröffentlicht 08.12.2014 16:59:13
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter.

5

CVE-2014-9279

  • EPSS 0.47%
  • Veröffentlicht 08.12.2014 16:59:12
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent ...

4.3

CVE-2014-9270

  • EPSS 0.43%
  • Veröffentlicht 08.12.2014 16:59:10
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field...

5

CVE-2014-9117

  • EPSS 0.63%
  • Veröffentlicht 06.12.2014 21:59:02
  • Zuletzt bearbeitet 12.04.2025 10:46:40

MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as dem...

7.5

CVE-2014-9089

Exploit
  • EPSS 0.54%
  • Veröffentlicht 28.11.2014 15:59:11
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to view_all_set.php.

4

CVE-2014-8988

  • EPSS 0.4%
  • Veröffentlicht 24.11.2014 15:59:14
  • Zuletzt bearbeitet 12.04.2025 10:46:40

MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict...

3.5

CVE-2014-8986

  • EPSS 0.53%
  • Veröffentlicht 24.11.2014 15:59:13
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted...