Mantisbt

Mantisbt

119 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2014-9271

Exploit
  • EPSS 0.83%
  • Veröffentlicht 09.01.2015 18:59:02
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated ...

2.6

CVE-2014-9269

  • EPSS 0.41%
  • Veröffentlicht 09.01.2015 18:59:01
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.

3.5

CVE-2014-9506

  • EPSS 0.19%
  • Veröffentlicht 04.01.2015 21:59:03
  • Zuletzt bearbeitet 12.04.2025 10:46:40

MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.

5

CVE-2014-9388

  • EPSS 0.43%
  • Veröffentlicht 17.12.2014 19:59:08
  • Zuletzt bearbeitet 12.04.2025 10:46:40

bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter.

5

CVE-2014-8553

  • EPSS 0.64%
  • Veröffentlicht 17.12.2014 19:59:06
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_ge...

5.8

CVE-2014-6316

Exploit
  • EPSS 0.61%
  • Veröffentlicht 12.12.2014 11:59:03
  • Zuletzt bearbeitet 12.04.2025 10:46:40

core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.

4.3

CVE-2014-9281

  • EPSS 0.56%
  • Veröffentlicht 09.12.2014 23:59:12
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field.

7.5

CVE-2014-9280

Exploit
  • EPSS 1%
  • Veröffentlicht 08.12.2014 16:59:13
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter.

5

CVE-2014-9279

  • EPSS 0.47%
  • Veröffentlicht 08.12.2014 16:59:12
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent ...

4.3

CVE-2014-9270

  • EPSS 0.43%
  • Veröffentlicht 08.12.2014 16:59:10
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field...