Vulnerabilities > Mantisbt > Mantisbt > 1.1.6
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2017-02-17 | CVE-2016-7111 | Cross-site Scripting vulnerability in Mantisbt MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. | 2.6 |
2017-02-17 | CVE-2016-5364 | Cross-site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter. | 4.3 |
2017-01-10 | CVE-2016-6837 | Cross-site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.0-beta1 allows remote attackers to inject arbitrary web script or HTML via the 'view_type' parameter. | 4.3 |
2015-01-26 | CVE-2014-9573 | SQL Injection vulnerability in Mantisbt SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. | 6.0 |
2015-01-26 | CVE-2014-9572 | Improper Access Control vulnerability in Mantisbt MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. | 7.5 |
2015-01-26 | CVE-2014-9571 | Cross-site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. | 4.3 |
2015-01-09 | CVE-2014-9272 | Cross-site Scripting vulnerability in multiple products The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. | 4.3 |
2015-01-09 | CVE-2014-9271 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. | 4.3 |
2015-01-09 | CVE-2014-9269 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie. | 2.6 |
2015-01-04 | CVE-2014-9506 | Information Exposure vulnerability in Mantisbt MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. | 3.5 |