Vulnerabilities > Mantisbt > Low

DATE CVE VULNERABILITY TITLE RISK
2017-08-01 CVE-2015-5059 Information Exposure vulnerability in Mantisbt
The "Project Documentation" feature in MantisBT 1.2.19 and earlier, when the threshold to access files ($g_view_proj_doc_threshold) is set to ANYBODY, allows remote authenticated users to download attachments linked to arbitrary private projects via a file id number in the file_id parameter to file_download.php.
network
mantisbt CWE-200
3.5
3.5
2017-03-31 CVE-2017-6973 Cross-site Scripting vulnerability in Mantisbt
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter.
network
mantisbt CWE-79
3.5
3.5
2017-03-31 CVE-2017-7241 Cross-site Scripting vulnerability in Mantisbt
A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it.
network
mantisbt CWE-79
3.5
3.5
2017-03-31 CVE-2017-7309 Cross-site Scripting vulnerability in Mantisbt
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter.
network
mantisbt CWE-79
3.5
3.5
2017-02-17 CVE-2016-7111 Cross-site Scripting vulnerability in Mantisbt
MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
network
high complexity
mantisbt CWE-79
2.6
2.6
2015-08-24 CVE-2014-8987 Cross-site Scripting vulnerability in Mantisbt
Cross-site scripting (XSS) vulnerability in the "set configuration" box in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via the config_option parameter, a different vulnerability than CVE-2014-8986.
network
mantisbt CWE-79
3.5
3.5
2015-01-09 CVE-2014-9269 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.
network
high complexity
mantisbt debian CWE-79
2.6
2.6
2015-01-04 CVE-2014-9506 Information Exposure vulnerability in Mantisbt
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.
network
mantisbt CWE-200
3.5
3.5
2014-11-24 CVE-2014-8986 Cross-Site Scripting vulnerability in Mantisbt
Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987.
network
mantisbt CWE-79
3.5
3.5
2014-05-15 CVE-2013-1810 Cross-Site Scripting vulnerability in Mantisbt 1.2.12
Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the summary_print_by_category function or (2) project name in the summary_print_by_project function.
network
high complexity
mantisbt CWE-79
2.1
2.1