Vulnerabilities > Mantisbt > Mantisbt > 2.4.1
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-01-29 | CVE-2020-29604 | Missing Authorization vulnerability in Mantisbt An issue was discovered in MantisBT before 2.24.4. | 4.0 |
2021-01-29 | CVE-2020-29603 | Insecure Storage of Sensitive Information vulnerability in Mantisbt In manage_proj_edit_page.php in MantisBT before 2.24.4, any unprivileged logged-in user can retrieve Private Projects' names via the manage_proj_edit_page.php project_id parameter, without having access to them. | 4.0 |
2020-12-30 | CVE-2020-35849 | Incorrect Authorization vulnerability in Mantisbt An issue was discovered in MantisBT before 2.24.4. | 5.0 |
2020-09-30 | CVE-2020-25830 | Cross-site Scripting vulnerability in Mantisbt An issue was discovered in MantisBT before 2.24.3. | 3.5 |
2020-09-30 | CVE-2020-25781 | Incorrect Authorization vulnerability in Mantisbt An issue was discovered in file_download.php in MantisBT before 2.24.3. | 4.0 |
2020-09-30 | CVE-2020-25288 | Cross-site Scripting vulnerability in Mantisbt An issue was discovered in MantisBT before 2.24.3. | 3.5 |
2020-08-12 | CVE-2020-16266 | Cross-site Scripting vulnerability in Mantisbt An XSS issue was discovered in MantisBT before 2.24.2. | 3.5 |
2020-03-19 | CVE-2019-15539 | Cross-site Scripting vulnerability in Mantisbt The proj_doc_edit_page.php Project Documentation feature in MantisBT before 2.21.3 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. | 4.3 |
2019-10-09 | CVE-2019-15715 | OS Command Injection vulnerability in Mantisbt MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution. | 7.2 |
2019-06-20 | CVE-2018-16514 | Cross-site Scripting vulnerability in Mantisbt A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) and Edit Filter page (manage_filter_edit_page.php) in MantisBT 2.1.0 through 2.17.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO. | 2.6 |