CVE-2014-9573 – MantisBT 1.2.17 XSS / Improper Access Control / SQL Injection

https://notcve.org/view.php?id=CVE-2014-9573

26 Jan 2015 — SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. Vulnerabilidad de inyección SQL en manage_user_page.php en MantisBT anterior a 1.2.19 y 1.3.x anterior a 1.3.0-beta.2 permite a administradores remotos con privilegios FILE ejecutar comandos SQL arbitrarios a través de la cookie MANTIS_MANAGE_USERS_COOKIE. MantisBT version 1.2... • https://packetstorm.news/files/id/130173 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •