Page 15 of 95 results (0.004 seconds)

CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 1

Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (9) enum_bug_group function in plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php or (11) bug_graph_bystatus.php in plugins/MantisGraph/pages/; or (12) proj_doc_page.php, related to use of the db_query function, a different vulnerability than CVE-2014-1608. Múltiples vulnerabilidades de inyección SQL en MantisBT anterior a 1.2.16 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través de parámetros no especificados hacia (1) la función mc_project_get_attachments en api/soap/mc_project_api.php; (2) la función news_get_limited_rows en core/news_api.php; la función (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter o (7) summary_print_by_category en core/summary_api.php; la función (8) create_bug_enum_summary o (9) enum_bug_group en plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php o (11) bug_graph_bystatus.php en plugins/MantisGraph/pages/ o (12) proj_doc_page.php, relacionado con el uso de la función db_query, una vulnerabilidad diferente a CVE-2014-1608. • http://secunia.com/advisories/61432 http://www.debian.org/security/2014/dsa-3030 http://www.mantisbt.org/bugs/view.php?id=16880 http://www.ocert.org/advisories/ocert-2014-001.html http://www.securityfocus.com/bid/65461 https://bugzilla.redhat.com/show_bug.cgi?id=1063111 https://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 3.5EPSS: 0%CPEs: 55EXPL: 1

Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject arbitrary web script or HTML via a project name. Vulnerabilidad cross-site scripting (XSS) en account_sponsor_page.php de MantisBT 1.0.0 hasta 1.2.15 permite a usuarios remotos autenticados inyectar script web o HTML de forma arbitraria a través de un nombre de proyecto. • http://osvdb.org/98823 http://seclists.org/oss-sec/2013/q4/168 http://secunia.com/advisories/55305 http://www.mantisbt.org/bugs/view.php?id=16513 https://github.com/mantisbt/mantisbt/commit/0002d106a6cd35cb0a6fe03246531a4e3f32c9d0#diff-4122320b011a3291cd45da074a867076 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.5EPSS: 0%CPEs: 62EXPL: 0

MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. MantisBT antes de v1.2.12 no utiliza un valor por defecto esperado durante las decisiones sobre si un usuario puede modificar el estado de un bug, lo que permite a usuarios remotos autenticados eludir restricciones de acceso y hacer cambios en el estado al aprovecharse de un valor en blanco para un configuración "por-estado". • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://openwall.com/lists/oss-security/2012/11/14/1 http://www.mantisbt.org/bugs/changelog_page.php?version_id=150 http://www.mantisbt.org/bugs/view.php?id=14496 http://www.securityfocus.com/bid/56520 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.5EPSS: 0%CPEs: 62EXPL: 0

core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. core/email_api.php en MantisBT antes de v1.2.12 no gestiona adecuadamente el envío de notificaciones por correo electrónico sobre bugs restringidos, lo que podría permitir a usuarios remotos autenticados obtener información confidencial mediante la adición de una nota a un error antes de perder el permiso para ver ese error. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://openwall.com/lists/oss-security/2012/11/14/1 http://www.mantisbt.org/bugs/changelog_page.php?version_id=150 http://www.mantisbt.org/bugs/view.php?id=14704 http://www.securityfocus.com/bid/56520 https://exchange.xforce.ibmcloud.com/vulnerabi • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.9EPSS: 0%CPEs: 59EXPL: 1

MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1) modify or (2) delete global categories. MantisBT anteriores a 1.2.9 no comprueba adecuadamente permisos, lo que permite a usuarios autenticados remotos con privilegios de manager (1) modificar o (2) borrar categorías globales. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://secunia.com/advisories/48258 http://secunia.com/advisories/51199 http://security.gentoo.org/glsa/glsa-201211-01.xml http://www.mantisbt.org/bugs/changelog_page.php?version_id=140 http://www.mantisbt.org/bugs/view.php?id=13561 http://www& • CWE-264: Permissions, Privileges, and Access Controls •