VYPR

Mantisbt

by Mantisbt

Source repositories

CVEs (125)

  • CVE-2022-26144Apr 13, 2022
    risk 0.00cvss epss 0.01

    An XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code (if CSP allows it) in manage_plugin_page.php and manage_plugin_uninstall.php when a crafted plugin is installed.

  • CVE-2009-2802Nov 9, 2019
    risk 0.00cvss epss 0.01

    MantisBT 1.2.x before 1.2.2 insecurely handles attachments and MIME types. Arbitrary inline attachment rendering could lead to cross-domain scripting or other browser attacks.

  • CVE-2013-1811Nov 7, 2019
    risk 0.00cvss epss 0.01

    An access control issue in MantisBT before 1.2.13 allows users with "Reporter" permissions to change any issue to "New".

  • CVE-2013-1934Oct 31, 2019
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in the configuration report page (adm_config_report.php) in MantisBT 1.2.0rc1 before 1.2.14 allows remote authenticated users to inject arbitrary web script or HTML via a complex value.

  • CVE-2013-1932Oct 31, 2019
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in the configuration report page (adm_config_report.php) in MantisBT 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via a project name.

  • CVE-2013-1931Oct 31, 2019
    risk 0.00cvss epss 0.02

    A cross-site scripting (XSS) vulnerability in MantisBT 1.2.14 allows remote attackers to inject arbitrary web script or HTML via a version, related to deleting a version.

  • CVE-2013-1930Oct 31, 2019
    risk 0.00cvss epss 0.01

    MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the workflow restriction and close issues.

  • CVE-2018-9839Jun 6, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in MantisBT through 1.3.14, and 2.0.0. Using a crafted request on bug_report_page.php (modifying the 'm_id' parameter), any user with REPORTER access or above is able to view any private issue's details (summary, description, steps to reproduce,…

  • CVE-2018-6526MedFeb 2, 2018
    risk 0.00cvss 5.3epss 0.04

    view_all_bug_page.php in MantisBT 2.10.0-development before 2018-02-02 allows remote attackers to discover the full path via an invalid filter parameter, related to a filter_ensure_valid_filter call in current_user_api.php.

  • CVE-2014-8987Aug 24, 2015
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the "set configuration" box in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via the config_option parameter, a different…

  • CVE-2015-1042Feb 10, 2015
    risk 0.00cvss epss 0.02

    The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to…

  • CVE-2014-9573Jan 26, 2015
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie.

  • CVE-2014-9572Jan 26, 2015
    risk 0.00cvss epss 0.02

    MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

  • CVE-2014-9571Jan 26, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

  • CVE-2014-9272Jan 9, 2015
    risk 0.00cvss epss 0.02

    The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol.

  • CVE-2014-9269Jan 9, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.

  • CVE-2014-9506Jan 4, 2015
    risk 0.00cvss epss 0.01

    MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.

  • CVE-2014-9388Dec 17, 2014
    risk 0.00cvss epss 0.02

    bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter.

  • CVE-2014-8553Dec 17, 2014
    risk 0.00cvss epss 0.02

    The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request.

  • CVE-2014-6316Dec 12, 2014
    risk 0.00cvss epss 0.02

    core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.

Page 4 of 7