VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 28, 2005· Updated Jun 16, 2026

CVE-2005-4519

CVE-2005-4519

Description

Multiple SQL injection vulnerabilities in the manage user page (manage_user_page.php) in Mantis 1.0.0rc3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) prefix and (2) sort parameters to the manage user page (manage_user_page.php), or (3) the sort parameter to view_all_set.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

65
  • Mantisbt/Mantis65 versions
    cpe:2.3:a:mantis:mantis:*:*:*:*:*:*:*:*+ 64 more
    • cpe:2.3:a:mantis:mantis:*:*:*:*:*:*:*:*range: <=0.19.3
    • cpe:2.3:a:mantis:mantis:0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.13.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.14.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.14.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.14.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.14.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.14.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.14.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.14.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.10:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.11:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.12:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.15.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.16.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.16.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.17.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.17.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.17.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.17.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.17.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.17.4a:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.17.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.18.0a2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.18.0a3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.18.0a4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.18.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.18.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.18a1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0a:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0a1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0a2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:1.0.0a1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:1.0.0a2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:1.0.0a3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:1.0.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:1.0.0_rc2:*:*:*:*:*:*:*
    • (no CPE)range: <=1.0.0rc3

Patches

Vulnerability mechanics

Root cause

"Lack of proper sanitization of user-supplied input before using it in SQL queries in manage_user_page.php and view_all_set.php."

Attack vector

An attacker sends a crafted HTTP request to `manage_user_page.php` with a malicious `prefix` parameter (GET) or `sort` parameter (POST) containing SQL metacharacters. Because user-supplied input is used directly in a SQL query without sanitization, the attacker can manipulate the query to extract or modify database contents. The first two vectors require administrative privileges, while the third vector in `view_all_set.php` via the `sort` parameter can be exploited by any anonymous user, though injection occurs only after an ORDER BY clause, limiting impact [ref_id=1].

Affected code

The advisory identifies `manage_user_page.php` as the vulnerable script for the first two SQL injection issues, with the `prefix` parameter (GET) and `sort` parameter (POST) lacking sanitization. The third SQL injection is in `view_all_set.php` via the `sort` GET parameter [ref_id=1]. No patch diff is available in the bundle.

What the fix does

The advisory states that the vendor released Mantis 0.19.4 / 1.0.0rc4 to address these issues, but no patch diff is included in the bundle [ref_id=1]. The recommended remediation is to upgrade to Mantis 0.19.4 / 1.0.0rc4 or newer, which presumably adds proper input sanitization or parameterized queries for the `prefix` and `sort` parameters in `manage_user_page.php` and `view_all_set.php`.

Preconditions

  • authFor the prefix and sort parameters in manage_user_page.php, the attacker must be an administrative user.
  • authFor the sort parameter in view_all_set.php, no authentication is required; any anonymous user can exploit it.
  • configThe application must be Mantis version 0.19.3 or earlier (or 1.0.0rc3 and earlier per the CVE description).
  • inputThe attacker sends a crafted HTTP GET or POST request containing SQL metacharacters in the vulnerable parameter.

Reproduction

The advisory provides proof-of-concept requests. For the first SQL injection: `GET [path_to_mantis]/manage_user_page.php?prefix=A[SQL]`. For the second: `POST [path_to_mantis]/manage_user_page.php` with body `sort=username[SQL]&dir=ASC&save=1`. For the third: `GET [path_to_mantis]/view_all_set.php?sort=priority[SQL]` [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.