Page 11 of 74 results (0.023 seconds)

CVSS: 5.0EPSS: 0%CPEs: 23EXPL: 1

gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind. gpc_api.php en MantisBT 1.2.17 y anteriores permite a atacantes remotos evadir la autenticación a través de una contraseña que empiece por un byte nulo, lo que provoca un bind no autenticado. • http://www.mantisbt.org/bugs/view.php?id=17640 http://www.openwall.com/lists/oss-security/2014/09/12/11 http://www.openwall.com/lists/oss-security/2014/09/12/14 http://www.openwall.com/lists/oss-security/2014/09/13/1 • CWE-287: Improper Authentication •

CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 1

Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (9) enum_bug_group function in plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php or (11) bug_graph_bystatus.php in plugins/MantisGraph/pages/; or (12) proj_doc_page.php, related to use of the db_query function, a different vulnerability than CVE-2014-1608. Múltiples vulnerabilidades de inyección SQL en MantisBT anterior a 1.2.16 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través de parámetros no especificados hacia (1) la función mc_project_get_attachments en api/soap/mc_project_api.php; (2) la función news_get_limited_rows en core/news_api.php; la función (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter o (7) summary_print_by_category en core/summary_api.php; la función (8) create_bug_enum_summary o (9) enum_bug_group en plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php o (11) bug_graph_bystatus.php en plugins/MantisGraph/pages/ o (12) proj_doc_page.php, relacionado con el uso de la función db_query, una vulnerabilidad diferente a CVE-2014-1608. • http://secunia.com/advisories/61432 http://www.debian.org/security/2014/dsa-3030 http://www.mantisbt.org/bugs/view.php?id=16880 http://www.ocert.org/advisories/ocert-2014-001.html http://www.securityfocus.com/bid/65461 https://bugzilla.redhat.com/show_bug.cgi?id=1063111 https://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 1%CPEs: 21EXPL: 1

SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request. Vulnerabilidad de inyección SQL en la función mci_file_get en api/soap/mc_file_api.php en MantisBT anterior a 1.2.16 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de una etiqueta envolvente manipulada en una solicitud mc_issue_attachment_get SOAP. • http://osvdb.org/103118 http://secunia.com/advisories/61432 http://www.debian.org/security/2014/dsa-3030 http://www.mantisbt.org/bugs/view.php?id=16879 http://www.ocert.org/advisories/ocert-2014-001.html http://www.securityfocus.com/bid/65445 https://bugzilla.redhat.com/show_bug.cgi?id=1063111 https://github.com/mantisbt/mantisbt/commit/00b4c17088fa56594d85fe46b6c6057bb3421102 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.5EPSS: 0%CPEs: 62EXPL: 0

MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. MantisBT antes de v1.2.12 no utiliza un valor por defecto esperado durante las decisiones sobre si un usuario puede modificar el estado de un bug, lo que permite a usuarios remotos autenticados eludir restricciones de acceso y hacer cambios en el estado al aprovecharse de un valor en blanco para un configuración "por-estado". • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://openwall.com/lists/oss-security/2012/11/14/1 http://www.mantisbt.org/bugs/changelog_page.php?version_id=150 http://www.mantisbt.org/bugs/view.php?id=14496 http://www.securityfocus.com/bid/56520 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.5EPSS: 0%CPEs: 62EXPL: 0

core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. core/email_api.php en MantisBT antes de v1.2.12 no gestiona adecuadamente el envío de notificaciones por correo electrónico sobre bugs restringidos, lo que podría permitir a usuarios remotos autenticados obtener información confidencial mediante la adición de una nota a un error antes de perder el permiso para ver ese error. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://openwall.com/lists/oss-security/2012/11/14/1 http://www.mantisbt.org/bugs/changelog_page.php?version_id=150 http://www.mantisbt.org/bugs/view.php?id=14704 http://www.securityfocus.com/bid/56520 https://exchange.xforce.ibmcloud.com/vulnerabi • CWE-264: Permissions, Privileges, and Access Controls •