CVE-2008-3332 – Mantis Bug Tracker 1.1.1 - Code Execution / Cross-Site Scripting / Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2008-3332
Eval injection vulnerability in adm_config_set.php in Mantis before 1.1.2 allows remote authenticated administrators to execute arbitrary code via the value parameter. Vulnerabilidad de inyección "Eval" en adm_config_set.php en Mantis anterior a 1.1.2, permite a administradores autenticados remotamente ejecutar código de su elección a través del parámetro "value". • https://www.exploit-db.com/exploits/5657 http://marc.info/?l=bugtraq&m=121130774617956&w=4 http://secunia.com/advisories/30270 http://secunia.com/advisories/31972 http://securityreason.com/securityalert/4044 http://www.gentoo.org/security/en/glsa/glsa-200809-10.xml http://www.mantisbt.org/bugs/changelog_page.php http://www.securityfocus.com/bid/29297 http://www.vupen.com/english/advisories/2008/1598/references https://exchange.xforce.ibmcloud.com/vulnerabilities/42550 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2008-3333
https://notcve.org/view.php?id=CVE-2008-3333
Directory traversal vulnerability in core/lang_api.php in Mantis before 1.1.2 allows remote attackers to include and execute arbitrary files via the language parameter to the user preferences page (account_prefs_update.php). Una vulnerabilidad de salto de directorio en el archivo core/lang_api.php en Mantis anterior a versión 1.1.2, permite a los atacantes remotos incluir y ejecutar archivos arbitrarios por medio del parámetro language en la página de preferencias del usuario (archivo account_prefs_update.php). • http://secunia.com/advisories/30270 http://secunia.com/advisories/31972 http://www.gentoo.org/security/en/glsa/glsa-200809-10.xml http://www.mantisbt.org/bugs/changelog_page.php http://www.mantisbt.org/bugs/view.php?id=9154 http://www.securityfocus.com/bid/29297 http://www.securityfocus.com/bid/30354 https://bugzilla.redhat.com/show_bug.cgi?id=456044 https://exchange.xforce.ibmcloud.com/vulnerabilities/43984 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2008-2276 – Mantis Bug Tracker 1.1.1 - Code Execution / Cross-Site Scripting / Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2008-2276
Cross-site request forgery (CSRF) vulnerability in manage_user_create.php in Mantis 1.1.1 allows remote attackers to create new administrative users via a crafted link. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el archivo manage_user_create.php en Mantis versión 1.1.1, permite a atacantes remotos crear nuevos usuarios administrativos por medio de un enlace diseñado. • https://www.exploit-db.com/exploits/5657 http://marc.info/?l=bugtraq&m=121130774617956&w=4 http://secunia.com/advisories/30270 http://secunia.com/advisories/31171 http://secunia.com/advisories/31972 http://sourceforge.net/project/shownotes.php?group_id=14963&release_id=595025 http://www.gentoo.org/security/en/glsa/glsa-200809-10.xml http://www.securityfocus.com/bid/29297 http://www.vupen.com/english/advisories/2008/1598/references https://exchange.xforce.ibmcloud.com/vulne • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-0404
https://notcve.org/view.php?id=CVE-2008-0404
Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Most active bugs" summary. Una vulnerabilidad de tipo cross-site scripting (XSS) en Mantis versiones anteriores a 1.1.1, permite a atacantes remotos inyectar script web o HTML arbitrario por medio de vectores relacionados con el resumen de "Most active bugs". • http://secunia.com/advisories/28577 http://secunia.com/advisories/28591 http://sourceforge.net/project/shownotes.php?release_id=569765 http://www.securityfocus.com/bid/27367 http://www.vupen.com/english/advisories/2008/0232 https://bugzilla.redhat.com/show_bug.cgi?id=429552 https://exchange.xforce.ibmcloud.com/vulnerabilities/39801 https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00676.html https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00734.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-6611
https://notcve.org/view.php?id=CVE-2007-6611
Cross-site scripting (XSS) vulnerability in view.php in Mantis before 1.1.0 allows remote attackers to inject arbitrary web script or HTML via a filename, related to bug_report.php. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo view.php en Mantis versiones anteriores a 1.1.0, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del filename, relacionado con el archivo bug_report.php. • http://osvdb.org/39873 http://secunia.com/advisories/28185 http://secunia.com/advisories/28352 http://secunia.com/advisories/28551 http://secunia.com/advisories/29198 http://security.gentoo.org/glsa/glsa-200803-04.xml http://sourceforge.net/project/shownotes.php?release_id=562940 http://www.debian.org/security/2008/dsa-1467 http://www.mantisbt.org/bugs/view.php?id=8679 http://www.securityfocus.com/bid/27045 https://bugzilla.redhat.com/show_bug.cgi?id=427277 https:& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •