CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25288
https://notcve.org/view.php?id=CVE-2020-25288
30 Sep 2020 — An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript. Se detectó un problema en MantisBT versiones anteriores a 2.24.3. Cuando se edita un problema en un proyecto donde se usa un campo personalizado con una propiedad de expresión regular diseñada... • http://github.com/mantisbt/mantisbt/commit/221cf323f16a9738a5b27aaba94758f11281d85c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-16266
https://notcve.org/view.php?id=CVE-2020-16266
12 Aug 2020 — An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it). Se detectó un problema de tipo XSS en MantisBT versiones anteriores a 2.24.2. Un escape inapropiado en el archivo view_all_bug_page.php permite a un atacante remoto inyectar HTML arbitrario ... • https://mantisbt.org/blog/archives/mantisbt/665 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15539
https://notcve.org/view.php?id=CVE-2019-15539
19 Mar 2020 — The proj_doc_edit_page.php Project Documentation feature in MantisBT before 2.21.3 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed when editing the document's page. La funcionalidad Project Documentation del archivo proj_doc_edit_page.php en MantisBT versiones anteriores a 2.21.3, presenta una vulnerabilidad de tipo cross-site scripting (XSS) almacenado, permiti... • https://github.com/mantisbt/mantisbt/commit/bd094dede74ff6e313e286e949e2387233a96eea • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 6%CPEs: 2EXPL: 5CVE-2019-15715 – Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)
https://notcve.org/view.php?id=CVE-2019-15715
09 Oct 2019 — MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution. MantisBT versiones anteriores a 1.3.20 y 2.22.1, permite la Inyección de Comandos de Autenticación Post, lo que conlleva a la Ejecución de Código Remota. Mantis Bug Tracker version 2.3.0 suffers from a remote code execution vulnerability. • https://packetstorm.news/files/id/159219 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16514
https://notcve.org/view.php?id=CVE-2018-16514
20 Jun 2019 — A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) and Edit Filter page (manage_filter_edit_page.php) in MantisBT 2.1.0 through 2.17.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-13055. Una vulnerabilidad de tipo cross-site scripting (XSS) en las páginas View Filters (view_filters_page.php) y Edit Filter (manage_filter_edit_page.php)... • https://mantisbt.org/bugs/view.php?id=24731 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17782
https://notcve.org/view.php?id=CVE-2018-17782
30 Oct 2018 — A cross-site scripting (XSS) vulnerability in the Manage Filters page (manage_filter_page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name. Una vulnerabilidad de Cross-Site Scripting (XSS) en la página Manage Filters (manage_filter_page.php) en MantisBT, desde la versión 2.1.0 hasta la 2.17.1, permite que los atacantes remotos (si los derechos de acceso lo permiten) inyecten código a... • https://mantisbt.org/blog/archives/mantisbt/613 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17783
https://notcve.org/view.php?id=CVE-2018-17783
30 Oct 2018 — A cross-site scripting (XSS) vulnerability in the Edit Filter page (manage_filter_edit page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name. Una vulnerabilidad de Cross-Site Scripting (XSS) en la página Edit Filter (manage_filter_edit page.php) en MantisBT, desde la versión 2.1.0 hasta la 2.17.1, permite que los atacantes remotos (si los derechos de acceso lo permiten) inyecten códi... • https://mantisbt.org/blog/archives/mantisbt/613 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14504
https://notcve.org/view.php?id=CVE-2018-14504
03 Aug 2018 — An issue was discovered in manage_filter_edit_page.php in MantisBT 2.x through 2.15.0. A cross-site scripting (XSS) vulnerability in the Edit Filter page allows execution of arbitrary code (if CSP settings permit it) when displaying a filter with a crafted name (e.g., 'foobar" onclick="alert(1)'). Se ha descubierto un problema en manage_filter_edit_page.php en MantisBT en versiones 2.x hasta la versión 2.15.0. Una vulnerabilidad Cross-Site Scripting (XSS) en la página Edit Filter permite la ejecución de cód... • http://github.com/mantisbt/mantisbt/commit/8b5fa243dbf04344a55fe880135ec149fc1f439f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13055 – Mantis 2.11.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-13055
03 Aug 2018 — A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) in MantisBT 2.1.0 through 2.15.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO. Una vulnerabilidad de Cross-Site Scripting (XSS) en la página View Filters (view_filters_page.php) en MantisBT, desde la versión 2.1.0 hasta la 2.15.0, permite que los atacantes remotos inyecten código arbitrario (si la configuración CSP lo permite) mediante un PATH_INFO manipulad... • https://packetstorm.news/files/id/151050 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6526
https://notcve.org/view.php?id=CVE-2018-6526
02 Feb 2018 — view_all_bug_page.php in MantisBT 2.10.0-development before 2018-02-02 allows remote attackers to discover the full path via an invalid filter parameter, related to a filter_ensure_valid_filter call in current_user_api.php. En el archivo view_all_bug_page.php en MantisBT versión 2.10.0-desarrollo antes del 02-02-2018, permite a los atacantes remotos detectar la path completa por medio de un parámetro filter no válido, relacionado con una llamada a la función filter_ensure_valid_filter en el archivo current_... • http://www.securityfocus.com/bid/103065 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •