CVE-2019-15715
Description
MantisBT before 1.3.20 and 2.22.1 allows authenticated admins to execute arbitrary commands via unvalidated neato_tool and dot_tool configuration options.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT before 1.3.20 and 2.22.1 allows authenticated admins to execute arbitrary commands via unvalidated neato_tool and dot_tool configuration options.
Root
Cause CVE-2019-15715 is a post-authentication command injection vulnerability in MantisBT. The issue stems from insufficient validation of user-supplied values for the neato_tool and dot_tool configuration settings. These settings control the paths to external tools (Graphviz utilities) used for rendering diagrams. An attacker with administrative privileges can modify these settings via the configuration management interface, injecting arbitrary commands that will be executed by the application [1][4].
Exploitation
To exploit this vulnerability, an attacker must have valid credentials with administrative-level access to the MantisBT instance. No other prerequisites are required; the attacker can simply navigate to the configuration page and set neato_tool or dot_tool to a malicious value (e.g., a command chain). When MantisBT subsequently invokes the tool (e.g., during diagram generation), the injected commands are executed on the server [4].
Impact
Successful exploitation leads to remote code execution (RCE) under the privileges of the web server user. This can allow the attacker to read, modify, or delete files, install backdoors, or pivot to other systems within the network. The vulnerability is rated with a CVSS score of 7.2 (High) per NVD [3].
Mitigation
MantisBT versions 1.3.20 and 2.22.1 have been released to fix this issue. The patch adds neato_tool and dot_tool to the list of global settings that cannot be modified via the database, thus preventing command injection through normal configuration channels [1][4]. Administrators should upgrade immediately or restrict administrative access to trusted users if upgrade is not possible.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 1.3.20 | 1.3.20 |
mantisbt/mantisbtPackagist | >= 2.0.0, < 2.22.1 | 2.22.1 |
Affected products
2- MantisBT/MantisBTdescription
Patches
47092573fac31Prevent arbitrary shell command execution
1 file changed · +1 −1
config_defaults_inc.php+1 −1 modified@@ -4299,7 +4299,7 @@ 'class_path','library_path', 'language_path', 'absolute_path_default_upload_folder', 'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page', 'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url', - 'cdn_enabled', 'public_config_names', 'email_login_enabled', 'email_ensure_unique' + 'neato_tool', 'dot_tool' ); /**
5fb979604d88Escape GraphViz command before calling proc_open()
1 file changed · +1 −1
core/graphviz_api.php+1 −1 modified@@ -352,7 +352,7 @@ function output( $p_format = 'dot', $p_headers = false ) { # Start dot process - $t_command = $this->graphviz_tool . ' -T' . $p_format; + $t_command = escapeshellcmd( $this->graphviz_tool . ' -T' . $p_format ); $t_descriptors = array( 0 => array( 'pipe', 'r', ), 1 => array( 'pipe', 'w', ),
cebfb9acb368Escape GraphViz command before calling proc_open()
1 file changed · +1 −1
core/graphviz_api.php+1 −1 modified@@ -352,7 +352,7 @@ function output( $p_format = 'dot', $p_headers = false ) { # Start dot process - $t_command = $this->graphviz_tool . ' -T' . $p_format; + $t_command = escapeshellcmd( $this->graphviz_tool . ' -T' . $p_format ); $t_descriptors = array( 0 => array( 'pipe', 'r', ), 1 => array( 'pipe', 'w', ),
fc7668c8e45dPrevent arbitrary shell command execution
1 file changed · +1 −1
config_defaults_inc.php+1 −1 modified@@ -4361,7 +4361,7 @@ 'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page', 'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url', 'cdn_enabled', 'public_config_names', 'email_login_enabled', 'email_ensure_unique', - 'impersonate_user_threshold', 'email_retry_in_days' + 'impersonate_user_threshold', 'email_retry_in_days', 'neato_tool', 'dot_tool' ); /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-v23g-wjvq-2fpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15715ghsaADVISORY
- packetstormsecurity.com/files/159219/Mantis-Bug-Tracker-2.3.0-Remote-Code-Execution.htmlghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/commit/5fb979604d88c630343b3eaf2b435cd41918c501ghsax_refsource_CONFIRMWEB
- github.com/mantisbt/mantisbt/commit/7092573fac31eff41823f13540324db167c8bd52ghsax_refsource_CONFIRMWEB
- github.com/mantisbt/mantisbt/commit/cebfb9acb3686e8904d80bd4bc80720b54ba08e5ghsax_refsource_CONFIRMWEB
- github.com/mantisbt/mantisbt/commit/fc7668c8e45db55fc3a4b991ea99d2b80861a14cghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/changelog_page.phpghsax_refsource_MISCWEB
- mantisbt.org/bugs/view.phpghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/view.phpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.