Vulnerabilities > CVE-2005-3091 - Remote vulnerability in Mantis
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Cross-site scripting (XSS) vulnerability in Mantis before 1.0.0rc1 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, as identified by bug#0005751 "thraxisp".
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-778.NASL description Two security related problems have been discovered in Mantis, a web-based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-2556 A remote attacker could supply a specially crafted URL to scan arbitrary ports on arbitrary hosts that may not be accessible otherwise. - CAN-2005-2557 A remote attacker was able to insert arbitrary HTML code in bug reports, hence, cross site scripting. - CAN-2005-3090 A remote attacker was able to insert arbitrary HTML code in bug reports, hence, cross site scripting. The old stable distribution (woody) does not seem to be affected by these problems. last seen 2020-06-01 modified 2020-06-02 plugin id 19475 published 2005-08-23 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19475 title Debian DSA-778-1 : mantis - missing input sanitising code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-778. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19475); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-2556", "CVE-2005-2557", "CVE-2005-3090", "CVE-2005-3091"); script_bugtraq_id(14604); script_xref(name:"DSA", value:"778"); script_name(english:"Debian DSA-778-1 : mantis - missing input sanitising"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two security related problems have been discovered in Mantis, a web-based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-2556 A remote attacker could supply a specially crafted URL to scan arbitrary ports on arbitrary hosts that may not be accessible otherwise. - CAN-2005-2557 A remote attacker was able to insert arbitrary HTML code in bug reports, hence, cross site scripting. - CAN-2005-3090 A remote attacker was able to insert arbitrary HTML code in bug reports, hence, cross site scripting. The old stable distribution (woody) does not seem to be affected by these problems." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-778" ); script_set_attribute( attribute:"solution", value: "Upgrade the mantis package. For the stable distribution (sarge) these problems have been fixed in version 0.19.2-4." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mantis"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/08/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/23"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"mantis", reference:"0.19.2-4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-905.NASL description Several security related problems have been discovered in Mantis, a web-based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3091 A cross-site scripting vulnerability allows attackers to inject arbitrary web script or HTML. - CVE-2005-3335 A file inclusion vulnerability allows remote attackers to execute arbitrary PHP code and include arbitrary local files. - CVE-2005-3336 A SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands. - CVE-2005-3338 Mantis can be tricked into displaying the otherwise hidden real mail address of its users. last seen 2020-06-01 modified 2020-06-02 plugin id 22771 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22771 title Debian DSA-905-1 : mantis - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-905. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22771); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-3090", "CVE-2005-3091", "CVE-2005-3335", "CVE-2005-3336", "CVE-2005-3338", "CVE-2005-3339"); script_xref(name:"DSA", value:"905"); script_name(english:"Debian DSA-905-1 : mantis - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several security related problems have been discovered in Mantis, a web-based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3091 A cross-site scripting vulnerability allows attackers to inject arbitrary web script or HTML. - CVE-2005-3335 A file inclusion vulnerability allows remote attackers to execute arbitrary PHP code and include arbitrary local files. - CVE-2005-3336 A SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands. - CVE-2005-3338 Mantis can be tricked into displaying the otherwise hidden real mail address of its users." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330682" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335938" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-905" ); script_set_attribute( attribute:"solution", value: "Upgrade the mantis package. The old stable distribution (woody) is not affected by these problems. For the stable distribution (sarge) these problems have been fixed in version 0.19.2-4.1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mantis"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/11/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"mantis", reference:"0.19.2-4.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id MANTIS_MULTIPLE_VULNS4.NASL description According to its banner, the version of Mantis on the remote host fails to sanitize user-supplied input to the last seen 2020-06-01 modified 2020-06-02 plugin id 19473 published 2005-08-22 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19473 title Mantis < 1.0.0rc2 Multiple Vulnerabilities NASL family CGI abuses NASL id MANTIS_FILE_INCL_SQL_INJECT.NASL description The remote version of Mantis suffers from a remote file inclusion vulnerability. Provided PHP last seen 2020-06-01 modified 2020-06-02 plugin id 20093 published 2005-10-27 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20093 title Mantis < 0.19.3 Multiple Vulnerabilities