Vulnerabilities > Mantisbt > Mantisbt > 1.2.13
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2015-01-26 | CVE-2014-9571 | Cross-site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. | 4.3 |
2015-01-09 | CVE-2014-9272 | Cross-site Scripting vulnerability in multiple products The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. | 4.3 |
2015-01-09 | CVE-2014-9271 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. | 4.3 |
2015-01-09 | CVE-2014-9269 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie. | 2.6 |
2015-01-04 | CVE-2014-9506 | Information Exposure vulnerability in Mantisbt MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. | 3.5 |
2014-12-17 | CVE-2014-9388 | Improper Access Control vulnerability in Mantisbt bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter. | 5.0 |
2014-12-17 | CVE-2014-8553 | Information Exposure vulnerability in Mantisbt The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. | 5.0 |
2014-12-12 | CVE-2014-6316 | URI Redirection vulnerability in MantisBT core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php. network mantisbt | 5.8 |
2014-12-09 | CVE-2014-9281 | Cross-Site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field. | 4.3 |
2014-12-08 | CVE-2014-9280 | Code Injection vulnerability in Mantisbt The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter. | 7.5 |