Vulnerabilities > Mantisbt > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-10-30 | CVE-2018-17782 | Cross-site Scripting vulnerability in Mantisbt A cross-site scripting (XSS) vulnerability in the Manage Filters page (manage_filter_page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name. | 5.4 |
| 2018-09-02 | CVE-2018-16362 | Cross-site Scripting vulnerability in Mantisbt Source Integration An issue was discovered in the Source Integration plugin before 1.5.9 and 2.x before 2.1.5 for MantisBT. | 6.1 |
| 2018-08-03 | CVE-2018-14504 | Cross-site Scripting vulnerability in Mantisbt An issue was discovered in manage_filter_edit_page.php in MantisBT 2.x through 2.15.0. | 6.1 |
| 2018-08-03 | CVE-2018-13055 | Cross-site Scripting vulnerability in Mantisbt A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) in MantisBT 2.1.0 through 2.15.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO. | 6.1 |
| 2018-02-02 | CVE-2018-6526 | Information Exposure vulnerability in Mantisbt view_all_bug_page.php in MantisBT 2.10.0-development before 2018-02-02 allows remote attackers to discover the full path via an invalid filter parameter, related to a filter_ensure_valid_filter call in current_user_api.php. | 5.3 |
| 2017-08-28 | CVE-2015-2046 | Cross-site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later before 1.2.20. | 6.1 |
| 2017-08-09 | CVE-2014-9701 | Cross-site Scripting vulnerability in Mantisbt Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter to permalink_page.php. | 6.5 |
| 2017-08-05 | CVE-2017-12419 | Information Exposure vulnerability in Mantisbt 2.5.2 If, after successful installation of MantisBT through 2.5.2 on MySQL/MariaDB, the administrator does not remove the 'admin' directory (as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide), and the MySQL client has a local_infile setting enabled (in php.ini mysqli.allow_local_infile, or the MySQL client config file, depending on the PHP setup), an attacker may take advantage of MySQL's "connect file read" feature to remotely access files on the MantisBT server. | 4.9 |
| 2017-08-01 | CVE-2017-12062 | Cross-site Scripting vulnerability in Mantisbt An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. | 6.1 |
| 2017-08-01 | CVE-2017-12061 | Cross-site Scripting vulnerability in Mantisbt An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. | 6.1 |