Vulnerabilities > Mantisbt

DATE	CVE	VULNERABILITY TITLE	RISK
2017-05-21	CVE-2017-7620	Cross-Site Request Forgery (CSRF) vulnerability in Mantisbt MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI. network low complexity mantisbt CWE-352	6.5
2017-04-18	CVE-2017-7897	Cross-site Scripting vulnerability in Mantisbt 2.3.0/2.3.1 A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (my_view_page.php) and User Information (view_user_page.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATH_INFO in a URL, due to use of unsanitized $_SERVER['PHP_SELF'] to generate URLs. network low complexity mantisbt CWE-79	6.1
2017-04-16	CVE-2017-7615	Weak Password Recovery Mechanism for Forgotten Password vulnerability in Mantisbt MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php. network low complexity mantisbt CWE-640	8.8
2017-03-31	CVE-2017-7309	Cross-site Scripting vulnerability in Mantisbt A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. network low complexity mantisbt CWE-79	4.8
2017-03-31	CVE-2017-7241	Cross-site Scripting vulnerability in Mantisbt A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it. network low complexity mantisbt CWE-79	4.8
2017-03-31	CVE-2017-6973	Cross-site Scripting vulnerability in Mantisbt A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter. network low complexity mantisbt CWE-79	4.8
2017-03-22	CVE-2017-7222	Cross-site Scripting vulnerability in Mantisbt A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration. network low complexity mantisbt CWE-79	6.1
2017-03-17	CVE-2017-6958	Cross-site Scripting vulnerability in Mantisbt Source Integration An XSS vulnerability in the MantisBT Source Integration Plugin (before 2.0.2) search result page allows an attacker to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by crafting any valid parameter. network low complexity mantisbt CWE-79	6.1
2017-03-10	CVE-2017-6799	Cross-site Scripting vulnerability in Mantisbt A cross-site scripting (XSS) vulnerability in view_filters_page.php in MantisBT before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'view_type' parameter. network low complexity mantisbt CWE-79	6.1
2017-03-10	CVE-2017-6797	Cross-site Scripting vulnerability in Mantisbt A cross-site scripting (XSS) vulnerability in bug_change_status_page.php in MantisBT before 1.3.7 and 2.x before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'action_type' parameter. network low complexity mantisbt CWE-79	6.1

Vulnerabilities > Mantisbt {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"Mantisbt"}]}

Vulnerabilities > Mantisbt