Vulnerabilities > Mantisbt > Mantisbt > 0.19.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-02-17 | CVE-2016-5364 | Cross-site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter. | 4.3 |
| 2017-01-10 | CVE-2016-6837 | Cross-site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.0-beta1 allows remote attackers to inject arbitrary web script or HTML via the 'view_type' parameter. | 4.3 |
| 2015-01-26 | CVE-2014-9573 | SQL Injection vulnerability in Mantisbt SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. | 6.0 |
| 2015-01-26 | CVE-2014-9572 | Improper Access Control vulnerability in Mantisbt MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. | 7.5 |
| 2015-01-26 | CVE-2014-9571 | Cross-site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. | 4.3 |
| 2015-01-04 | CVE-2014-9506 | Information Exposure vulnerability in Mantisbt MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. | 3.5 |
| 2014-12-17 | CVE-2014-9388 | Improper Access Control vulnerability in Mantisbt bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter. | 5.0 |
| 2014-12-17 | CVE-2014-8553 | Information Exposure vulnerability in Mantisbt The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. | 5.0 |
| 2014-12-12 | CVE-2014-6316 | URI Redirection vulnerability in MantisBT core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php. network mantisbt | 5.8 |
| 2014-12-09 | CVE-2014-9281 | Cross-Site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field. | 4.3 |