CVE-2014-9272
https://notcve.org/view.php?id=CVE-2014-9272
The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. La función string_insert_href en MantisBT 1.2.0a1 hasta 1.2.x anterior a 1.2.18 no valida correctamente el protocolo de URLs, lo que permite a atacantes remotos realizar ataques de XSS a través del protocolo javascript://. • http://seclists.org/oss-sec/2014/q4/867 http://seclists.org/oss-sec/2014/q4/902 http://secunia.com/advisories/62101 http://www.debian.org/security/2015/dsa-3120 https://github.com/mantisbt/mantisbt/commit/05378e00 https://www.mantisbt.org/bugs/view.php?id=17297 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-9269
https://notcve.org/view.php?id=CVE-2014-9269
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie. Vulnerabilidad de XSS en helper_api.php en MantisBT 1.1.0a1 hasta 1.2.x anterior a 1.2.18, cuando el navegador de proyectos extendidos está habilitado, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la cookie de proyectos. • http://seclists.org/oss-sec/2014/q4/867 http://seclists.org/oss-sec/2014/q4/902 http://secunia.com/advisories/62101 http://www.debian.org/security/2015/dsa-3120 https://github.com/mantisbt/mantisbt/commit/511564cc https://www.mantisbt.org/bugs/view.php?id=17890 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-9271
https://notcve.org/view.php?id=CVE-2014-9271
Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. Vulnerabilidad de XSS en file_download.php en MantisBT anterior a 1.2.18 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un fichero Flash con un extensión de imagen, relacionado con adjuntos de línea interior (inline), tal y como fue demostrado por un nombre de fichero .swf.jpeg. • http://seclists.org/oss-sec/2014/q4/867 http://seclists.org/oss-sec/2014/q4/902 http://seclists.org/oss-sec/2014/q4/924 http://secunia.com/advisories/62101 http://www.debian.org/security/2015/dsa-3120 https://github.com/mantisbt/mantisbt/commit/9fb8cf36f https://www.mantisbt.org/bugs/view.php?id=17874 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-8987
https://notcve.org/view.php?id=CVE-2014-8987
Cross-site scripting (XSS) vulnerability in the "set configuration" box in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via the config_option parameter, a different vulnerability than CVE-2014-8986. Vulnerabilidad de XSS en la casilla 'set configuration' en la página Configuration Report (adm_config_report.php) en MantisBT 1.2.13 hasta la versión 1.2.17, permite a administradores remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro config_option, una vulnerabilidad diferente a CVE-2014-8986. • http://www.mantisbt.org/bugs/view.php?id=17870 http://www.openwall.com/lists/oss-security/2014/11/14/9 http://www.openwall.com/lists/oss-security/2014/11/15/2 http://www.openwall.com/lists/oss-security/2014/11/15/3 http://www.openwall.com/lists/oss-security/2014/11/15/4 http://www.openwall.com/lists/oss-security/2014/11/19/21 https://github.com/mantisbt/mantisbt/commit/49c3d089 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-9506
https://notcve.org/view.php?id=CVE-2014-9506
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. MantisBT anterior a 1.2.18 no comprueba correctamente los permisos cuando envía una email que indica cuando un problema monitorizado está relacionado con otro problema, lo que permite a usuarios remotos autenticados obtener información sensible sobre los problemas restringidos. • http://seclists.org/oss-sec/2014/q4/955 http://secunia.com/advisories/62101 http://www.debian.org/security/2015/dsa-3120 https://www.mantisbt.org/bugs/changelog_page.php?version_id=191 https://www.mantisbt.org/bugs/view.php?id=9885 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •