Vulnerabilities > Mantisbt > Mantisbt > 1.2.14

DATE CVE VULNERABILITY TITLE RISK
2017-03-22 CVE-2017-7222 Cross-site Scripting vulnerability in Mantisbt
A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration.
network
mantisbt CWE-79
4.3
4.3
2017-03-10 CVE-2017-6799 Cross-site Scripting vulnerability in Mantisbt
A cross-site scripting (XSS) vulnerability in view_filters_page.php in MantisBT before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'view_type' parameter.
network
mantisbt CWE-79
4.3
4.3
2017-03-10 CVE-2017-6797 Cross-site Scripting vulnerability in Mantisbt
A cross-site scripting (XSS) vulnerability in bug_change_status_page.php in MantisBT before 1.3.7 and 2.x before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'action_type' parameter.
network
mantisbt CWE-79
4.3
4.3
2017-02-17 CVE-2016-7111 Cross-site Scripting vulnerability in Mantisbt
MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
network
high complexity
mantisbt CWE-79
2.6
2.6
2017-02-17 CVE-2016-5364 Cross-site Scripting vulnerability in Mantisbt
Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter.
network
mantisbt CWE-79
4.3
4.3
2017-01-10 CVE-2016-6837 Cross-site Scripting vulnerability in Mantisbt
Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.0-beta1 allows remote attackers to inject arbitrary web script or HTML via the 'view_type' parameter.
network
mantisbt CWE-79
4.3
4.3
2015-08-24 CVE-2014-8987 Cross-site Scripting vulnerability in Mantisbt
Cross-site scripting (XSS) vulnerability in the "set configuration" box in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via the config_option parameter, a different vulnerability than CVE-2014-8986.
network
mantisbt CWE-79
3.5
3.5
2015-02-10 CVE-2015-1042 Unspecified vulnerability in Mantisbt
The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to login_page.php, a different vulnerability than CVE-2014-6316.
network
mantisbt
5.8
5.8
2015-01-26 CVE-2014-9573 SQL Injection vulnerability in Mantisbt
SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie.
network
mantisbt CWE-89
6.0
6.0
2015-01-26 CVE-2014-9572 Improper Access Control vulnerability in Mantisbt
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.
network
low complexity
mantisbt CWE-284
7.5
7.5