Mantisbt

Mantisbt

122 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2014-9572

  • EPSS 0.92%
  • Veröffentlicht 26.01.2015 15:59:11
  • Zuletzt bearbeitet 12.04.2025 10:46:40

MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

4.3

CVE-2014-9571

Exploit
  • EPSS 0.45%
  • Veröffentlicht 26.01.2015 15:59:10
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

4.3

CVE-2014-9272

  • EPSS 0.44%
  • Veröffentlicht 09.01.2015 18:59:03
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol.

5.4

CVE-2014-9271

Exploit
  • EPSS 0.83%
  • Veröffentlicht 09.01.2015 18:59:02
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated ...

2.6

CVE-2014-9269

  • EPSS 0.41%
  • Veröffentlicht 09.01.2015 18:59:01
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.

3.5

CVE-2014-9506

  • EPSS 0.19%
  • Veröffentlicht 04.01.2015 21:59:03
  • Zuletzt bearbeitet 12.04.2025 10:46:40

MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.

5

CVE-2014-9388

  • EPSS 0.43%
  • Veröffentlicht 17.12.2014 19:59:08
  • Zuletzt bearbeitet 12.04.2025 10:46:40

bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter.

5

CVE-2014-8553

  • EPSS 0.64%
  • Veröffentlicht 17.12.2014 19:59:06
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_ge...

5.8

CVE-2014-6316

Exploit
  • EPSS 0.61%
  • Veröffentlicht 12.12.2014 11:59:03
  • Zuletzt bearbeitet 12.04.2025 10:46:40

core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.

4.3

CVE-2014-9281

  • EPSS 0.56%
  • Veröffentlicht 09.12.2014 23:59:12
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field.