Vulnerabilities > Mantisbt > Mantisbt
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-12-08 | CVE-2014-9270 | Cross-Site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field. | 4.3 |
| 2014-12-06 | CVE-2014-9117 | Improper Access Control vulnerability in Mantisbt MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0. | 5.0 |
| 2014-11-28 | CVE-2014-9089 | SQL Injection vulnerability in multiple products Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to view_all_set.php. | 7.5 |
| 2014-11-24 | CVE-2014-8988 | Permissions, Privileges, and Access Controls vulnerability in Mantisbt 1.2.17 MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL. | 4.0 |
| 2014-11-24 | CVE-2014-8986 | Cross-Site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987. | 3.5 |
| 2014-11-18 | CVE-2014-8598 | Data Processing Errors vulnerability in Mantisbt The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. | 6.4 |
| 2014-11-18 | CVE-2014-7146 | Improper Input Validation vulnerability in Mantisbt 1.2.17 The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier. | 7.5 |
| 2014-11-13 | CVE-2014-8554 | SQL Injection vulnerability in Mantisbt SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. | 7.5 |
| 2014-10-22 | CVE-2014-6387 | Improper Authentication vulnerability in Mantisbt gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind. | 5.0 |
| 2014-05-27 | CVE-2013-1883 | Improper Input Validation vulnerability in Mantisbt 1.2.12/1.2.13/1.2.14 Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type. | 5.0 |