Vulnerabilities > Mantisbt > Mantisbt
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-05-15 | CVE-2013-1810 | Cross-Site Scripting vulnerability in Mantisbt 1.2.12 Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the summary_print_by_category function or (2) project name in the summary_print_by_project function. | 2.1 |
| 2014-05-15 | CVE-2013-0197 | Cross-Site Scripting vulnerability in Mantisbt 1.2.12/1.2.13 Cross-site scripting (XSS) vulnerability in the filter_draw_selection_area2 function in core/filter_api.php in MantisBT 1.2.12 before 1.2.13 allows remote attackers to inject arbitrary web script or HTML via the match_type parameter to bugs/search.php. | 4.3 |
| 2014-03-20 | CVE-2014-1609 | SQL Injection vulnerability in multiple products Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (9) enum_bug_group function in plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php or (11) bug_graph_bystatus.php in plugins/MantisGraph/pages/; or (12) proj_doc_page.php, related to use of the db_query function, a different vulnerability than CVE-2014-1608. | 7.5 |
| 2014-03-18 | CVE-2014-1608 | SQL Injection vulnerability in multiple products SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request. | 7.5 |
| 2014-03-05 | CVE-2014-2238 | SQL Injection vulnerability in Mantisbt SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter. | 6.5 |
| 2014-01-10 | CVE-2013-4460 | Cross-Site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject arbitrary web script or HTML via a project name. | 3.5 |
| 2012-11-16 | CVE-2012-5523 | Permissions, Privileges, and Access Controls vulnerability in Mantisbt core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. | 5.5 |
| 2012-11-16 | CVE-2012-5522 | Permissions, Privileges, and Access Controls vulnerability in Mantisbt MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. | 5.5 |
| 2012-06-29 | CVE-2012-1123 | Improper Authentication vulnerability in Mantisbt The mci_check_login function in api/soap/mc_api.php in the SOAP API in MantisBT before 1.2.9 allows remote attackers to bypass authentication via a null password. | 7.5 |
| 2012-06-29 | CVE-2012-1122 | Permissions, Privileges, and Access Controls vulnerability in Mantisbt bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the report_bug_threshold permission of the receiving project when moving a bug report, which allows remote authenticated users with the report_bug_threshold and move_bug_threshold privileges for a project to bypass intended access restrictions and move bug reports to a different project. | 3.6 |