Vulnerabilities > Mantisbt > Mantisbt > 1.1.6

DATE CVE VULNERABILITY TITLE RISK
2017-02-17 CVE-2016-7111 Cross-site Scripting vulnerability in Mantisbt
MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
network
high complexity
mantisbt CWE-79
2.6
2.6
2017-02-17 CVE-2016-5364 Cross-site Scripting vulnerability in Mantisbt
Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter.
network
mantisbt CWE-79
4.3
4.3
2017-01-10 CVE-2016-6837 Cross-site Scripting vulnerability in Mantisbt
Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.0-beta1 allows remote attackers to inject arbitrary web script or HTML via the 'view_type' parameter.
network
mantisbt CWE-79
4.3
4.3
2015-01-26 CVE-2014-9573 SQL Injection vulnerability in Mantisbt
SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie.
network
mantisbt CWE-89
6.0
6.0
2015-01-26 CVE-2014-9572 Improper Access Control vulnerability in Mantisbt
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.
network
low complexity
mantisbt CWE-284
7.5
7.5
2015-01-26 CVE-2014-9571 Cross-site Scripting vulnerability in Mantisbt
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.
network
mantisbt CWE-79
4.3
4.3
2015-01-09 CVE-2014-9272 Cross-site Scripting vulnerability in multiple products
The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. 		4.3
4.3
2015-01-09 CVE-2014-9271 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. 		4.3
4.3
2015-01-09 CVE-2014-9269 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.
network
high complexity
mantisbt debian CWE-79
2.6
2.6
2015-01-04 CVE-2014-9506 Information Exposure vulnerability in Mantisbt
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.
network
mantisbt CWE-200
3.5
3.5