CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6526
https://notcve.org/view.php?id=CVE-2018-6526
view_all_bug_page.php in MantisBT 2.10.0-development before 2018-02-02 allows remote attackers to discover the full path via an invalid filter parameter, related to a filter_ensure_valid_filter call in current_user_api.php. En el archivo view_all_bug_page.php en MantisBT versión 2.10.0-desarrollo antes del 02-02-2018, permite a los atacantes remotos detectar la path completa por medio de un parámetro filter no válido, relacionado con una llamada a la función filter_ensure_valid_filter en el archivo current_user_api.php. • http://www.securityfocus.com/bid/103065 https://github.com/mantisbt/mantisbt/commit/de686a9e6d8c909485b87ca09c8f912bf83082f2 https://mantisbt.org/bugs/view.php?id=23921 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9624
https://notcve.org/view.php?id=CVE-2014-9624
CAPTCHA bypass vulnerability in MantisBT before 1.2.19. Existe una vulnerabilidad de omisión de CAPTCHA en MantisBT en versiones anteriores a la 1.2.19. • http://www.openwall.com/lists/oss-security/2015/01/18/11 http://www.securitytracker.com/id/1031633 https://bugzilla.redhat.com/show_bug.cgi?id=1183593 https://exchange.xforce.ibmcloud.com/vulnerabilities/100213 https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.19 https://www.mantisbt.org/bugs/view.php?id=17984 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2015-2046
https://notcve.org/view.php?id=CVE-2015-2046
Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later before 1.2.20. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en MantisBT 1.2.13 y posteriores antes de la 1.2.20. • http://www.openwall.com/lists/oss-security/2015/02/21/1 http://www.openwall.com/lists/oss-security/2015/02/21/2 https://bugzilla.redhat.com/show_bug.cgi?id=1191130 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-9701
https://notcve.org/view.php?id=CVE-2014-9701
Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter to permalink_page.php. Una vulnerabilidad de tipo cross-site scripting (XSS) en MantisBT en versiones anteriores a la 1.2.19 y en versiones 1.3.x anteriores a la 1.3.0-beta.2 permite que atacantes remotos inyecten scripts web o HTML mediante el parámetro url a permalink_page.php. • http://www.openwall.com/lists/oss-security/2015/03/15/2 https://bugzilla.redhat.com/show_bug.cgi?id=1202885 https://github.com/mantisbt/mantisbt/commit/d95f070db852614fa18ccca6a4f12f4bffede1fd https://github.com/mantisbt/mantisbt/commit/e7e2b5503580e42db9d91e0d599d61d3ff03c27e https://www.mantisbt.org/bugs/view.php?id=17362#c40613 https://www.mantisbt.org/bugs/view.php?id=19493 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12061
https://notcve.org/view.php?id=CVE-2017-12061
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP. Se detectó una vulnerabilidad de tipo Cross-Site Scripting (XSS) en admin/install.php en MantisBT en versiones anteriores a la 1.3.12 y todas las 2.X anteriores a la 2.5.2. Algunas variables que están bajo el control de usuarios en el script de instalación de MantisBT no están sanitizadas correctamente antes de que se envíen, permitiendo a los atacantes remotos inyectar código JavaScript arbitrario, tal y como lo demuestran las variables $f_database, $f_db_username, y $f_admin_username. • http://openwall.com/lists/oss-security/2017/08/01/1 http://openwall.com/lists/oss-security/2017/08/01/2 http://www.securitytracker.com/id/1039030 https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458ecd08fb0 https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade785e27cba5 https://mantisbt.org/bugs/view.php?id=23146 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •