CVE-2013-1883
https://notcve.org/view.php?id=CVE-2013-1883
Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type. Mantis Bug Tracker (también conocido como MantisBT) 1.2.12 anterior a 1.2.15 permite a atacantes remotos causar una denegación de servicio (consumo de recursos) a través de un filtro que utiliza un criterio, búsqueda de texto y el tipo de coincidencia 'cualquier condición'. • http://www.mantisbt.org/bugs/view.php?id=15573 http://www.openwall.com/lists/oss-security/2013/03/22/2 http://www.securityfocus.com/bid/58626 https://bugzilla.redhat.com/show_bug.cgi?id=924340 https://exchange.xforce.ibmcloud.com/vulnerabilities/83347 https://github.com/mantisbt/mantisbt/commit/d16988c3ca232a7 • CWE-20: Improper Input Validation •
CVE-2013-0197
https://notcve.org/view.php?id=CVE-2013-0197
Cross-site scripting (XSS) vulnerability in the filter_draw_selection_area2 function in core/filter_api.php in MantisBT 1.2.12 before 1.2.13 allows remote attackers to inject arbitrary web script or HTML via the match_type parameter to bugs/search.php. Vulnerabilidad de XSS en la función filter_draw_selection_area2 en core/filter_api.php en MantisBT 1.2.12 anterior a 1.2.13 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro match_type hacia bugs/search.php. • http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html http://seclists.org/oss-sec/2013/q1/118 http://seclists.org/oss-sec/2013/q1/125 http://seclists.org/oss-sec/2013/q1/140 http://secunia.com/advisories/51853 http://www.mantisbt.org/bugs/view.php?id=15373 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-1810
https://notcve.org/view.php?id=CVE-2013-1810
Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the summary_print_by_category function or (2) project name in the summary_print_by_project function. Múltiples vulnerabilidades de XSS en core/summary_api.php en MantisBT 1.2.12 permiten a usuarios remotos autenticados con permisos de gestor o administrador inyectar secuencias de comandos web o HTML arbitrarios a través del nombre de (1) categoría en la función summary_print_by_category o (2) proyecto en la función summary_print_by_project. • http://seclists.org/oss-sec/2013/q1/127 http://seclists.org/oss-sec/2013/q1/556 http://secunia.com/advisories/51853 http://www.mantisbt.org/bugs/view.php?id=15384 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-2238 – MantisBT Admin SQL Injection Arbitrary File Read
https://notcve.org/view.php?id=CVE-2014-2238
SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter. Vulnerabilidad de inyección SQL en la página "manage configuration" (adm_config_report.php) en MantisBT 1.2.13 hasta 1.2.16 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro filter_config_id. Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if an attacker can gain access to administrative credentials. This vuln was fixed in 1.2.17. • http://mantisbt.domainunion.de/bugs/view.php?id=17055 http://seclists.org/oss-sec/2014/q1/456 http://seclists.org/oss-sec/2014/q1/490 http://www.mantisbt.org/blog/?p=288 http://www.securityfocus.com/bid/65903 https://exchange.xforce.ibmcloud.com/vulnerabilities/91563 https://www.mantisbt.org/bugs/view.php?id=17055 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-1609
https://notcve.org/view.php?id=CVE-2014-1609
Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (9) enum_bug_group function in plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php or (11) bug_graph_bystatus.php in plugins/MantisGraph/pages/; or (12) proj_doc_page.php, related to use of the db_query function, a different vulnerability than CVE-2014-1608. Múltiples vulnerabilidades de inyección SQL en MantisBT anterior a 1.2.16 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través de parámetros no especificados hacia (1) la función mc_project_get_attachments en api/soap/mc_project_api.php; (2) la función news_get_limited_rows en core/news_api.php; la función (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter o (7) summary_print_by_category en core/summary_api.php; la función (8) create_bug_enum_summary o (9) enum_bug_group en plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php o (11) bug_graph_bystatus.php en plugins/MantisGraph/pages/ o (12) proj_doc_page.php, relacionado con el uso de la función db_query, una vulnerabilidad diferente a CVE-2014-1608. • http://secunia.com/advisories/61432 http://www.debian.org/security/2014/dsa-3030 http://www.mantisbt.org/bugs/view.php?id=16880 http://www.ocert.org/advisories/ocert-2014-001.html http://www.securityfocus.com/bid/65461 https://bugzilla.redhat.com/show_bug.cgi?id=1063111 https://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •