Vulnerabilities > Mantisbt > Mantisbt > 1.2.14

DATE CVE VULNERABILITY TITLE RISK
2014-12-08 CVE-2014-9279 Information Exposure vulnerability in Mantisbt
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL.
network
low complexity
mantisbt CWE-200
5.0
2014-12-08 CVE-2014-9270 Cross-Site Scripting vulnerability in Mantisbt
Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field.
network
mantisbt CWE-79
4.3
2014-12-06 CVE-2014-9117 Improper Access Control vulnerability in Mantisbt
MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0.
network
low complexity
mantisbt CWE-284
5.0
2014-11-28 CVE-2014-9089 SQL Injection vulnerability in multiple products
Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to view_all_set.php.
network
low complexity
debian mantisbt CWE-89
7.5
2014-11-24 CVE-2014-8986 Cross-Site Scripting vulnerability in Mantisbt
Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987.
network
mantisbt CWE-79
3.5
2014-11-18 CVE-2014-8598 Data Processing Errors vulnerability in Mantisbt
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page.
network
low complexity
mantisbt CWE-19
6.4
2014-11-13 CVE-2014-8554 SQL Injection vulnerability in Mantisbt
SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter.
network
low complexity
mantisbt CWE-89
7.5
2014-10-22 CVE-2014-6387 Improper Authentication vulnerability in Mantisbt
gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind.
network
low complexity
mantisbt CWE-287
5.0
2014-05-27 CVE-2013-1883 Improper Input Validation vulnerability in Mantisbt 1.2.12/1.2.13/1.2.14
Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type.
network
low complexity
mantisbt CWE-20
5.0
2014-03-20 CVE-2014-1609 SQL Injection vulnerability in multiple products
Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (9) enum_bug_group function in plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php or (11) bug_graph_bystatus.php in plugins/MantisGraph/pages/; or (12) proj_doc_page.php, related to use of the db_query function, a different vulnerability than CVE-2014-1608.
network
low complexity
debian mantisbt CWE-89
7.5