Vulnerabilities > Mantis > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2008-10-22 | CVE-2008-4688 | Information Exposure vulnerability in Mantis core/string_api.php in Mantis before 1.1.3 does not check the privileges of the viewer before composing a link with issue data in the source anchor, which allows remote attackers to discover an issue's title and status via a request with a modified issue number. | 5.0 |
2008-07-27 | CVE-2008-3332 | Code Injection vulnerability in Mantis Eval injection vulnerability in adm_config_set.php in Mantis before 1.1.2 allows remote authenticated administrators to execute arbitrary code via the value parameter. | 6.5 |
2008-01-23 | CVE-2008-0404 | Cross-Site Scripting vulnerability in Mantis Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Most active bugs" summary. | 4.3 |
2008-01-03 | CVE-2007-6611 | Cross-Site Scripting vulnerability in Mantis Cross-site scripting (XSS) vulnerability in view.php in Mantis before 1.1.0 allows remote attackers to inject arbitrary web script or HTML via a filename, related to bug_report.php. | 4.3 |
2006-12-15 | CVE-2006-6574 | Information Disclosure vulnerability in Mantis Custom Fields Mantis before 1.1.0a2 does not implement per-item access control for Issue History (Bug History), which allows remote attackers to obtain sensitive information by reading the Change column, as demonstrated by the Change column of a custom field. | 5.0 |
2006-04-02 | CVE-2006-1577 | Cross-Site Scripting vulnerability in Mantis View_All_Set.PHP Multiple cross-site scripting (XSS) vulnerabilities in view_all_set.php in Mantis 1.0.1, 1.0.0rc5, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) start_day, (2) start_year, and (3) start_month parameters. network mantis | 6.8 |
2006-02-22 | CVE-2006-0841 | Input Validation vulnerability in Mantis Multiple cross-site scripting (XSS) vulnerabilities in Mantis 1.00rc4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) hide_status, (2) handler_id, (3) user_monitor, (4) reporter_id, (5) view_type, (6) show_severity, (7) show_category, (8) show_status, (9) show_resolution, (10) show_build, (11) show_profile, (12) show_priority, (13) highlight_changed, (14) relationship_type, and (15) relationship_bug parameters in (a) view_all_set.php; the (16) sort parameter in (b) manage_user_page.php; the (17) view_type parameter in (c) view_filters_page.php; and the (18) title parameter in (d) proj_doc_delete.php. network mantis | 4.3 |
2006-02-22 | CVE-2006-0840 | Input Validation vulnerability in Mantis manage_user_page.php in Mantis 1.00rc4 and earlier does not properly handle a sort parameter containing a ' (quote) character, which allows remote attackers to trigger a SQL error that may be repeatedly reported to a user who makes subsequent web accesses with the MANTIS_MANAGE_COOKIE cookie. | 5.0 |
2006-02-13 | CVE-2006-0664 | Cross-Site Scripting vulnerability in Mantis Config_Defaults_Inc.PHP Cross-site scripting (XSS) vulnerability in config_defaults_inc.php in Mantis before 1.0 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. network mantis | 4.3 |
2005-12-28 | CVE-2005-4524 | Mantis 1.0.0rc3 does not properly handle "Make note private" when a bug is being resolved, which has unknown impact and attack vectors, probably related to an information leak. | 5.0 |