Vulnerabilities > Mantisbt > Mantisbt > 1.2.0a2
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2015-01-09 | CVE-2014-9269 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie. | 2.6 |
2014-11-13 | CVE-2014-8554 | SQL Injection vulnerability in Mantisbt SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. | 7.5 |
2012-06-29 | CVE-2012-1122 | Permissions, Privileges, and Access Controls vulnerability in Mantisbt bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the report_bug_threshold permission of the receiving project when moving a bug report, which allows remote authenticated users with the report_bug_threshold and move_bug_threshold privileges for a project to bypass intended access restrictions and move bug reports to a different project. | 3.6 |
2012-06-29 | CVE-2012-1118 | Permissions, Privileges, and Access Controls vulnerability in Mantisbt The access_has_bug_level function in core/access_api.php in MantisBT before 1.2.9 does not properly restrict access when the private_bug_view_threshold is set to an array, which allows remote attackers to bypass intended restrictions and perform certain operations on private bug reports. | 4.3 |
2008-09-24 | CVE-2008-3102 | Cryptographic Issues vulnerability in Mantisbt Mantis 1.1.x through 1.1.2 and 1.2.x through 1.2.0a2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | 5.0 |