CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2013-1810
https://notcve.org/view.php?id=CVE-2013-1810
15 May 2014 — Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the summary_print_by_category function or (2) project name in the summary_print_by_project function. Múltiples vulnerabilidades de XSS en core/summary_api.php en MantisBT 1.2.12 permiten a usuarios remotos autenticados con permisos de gestor o administrador inyectar secuencia... • http://seclists.org/oss-sec/2013/q1/127 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2013-0197
https://notcve.org/view.php?id=CVE-2013-0197
15 May 2014 — Cross-site scripting (XSS) vulnerability in the filter_draw_selection_area2 function in core/filter_api.php in MantisBT 1.2.12 before 1.2.13 allows remote attackers to inject arbitrary web script or HTML via the match_type parameter to bugs/search.php. Vulnerabilidad de XSS en la función filter_draw_selection_area2 en core/filter_api.php en MantisBT 1.2.12 anterior a 1.2.13 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro match_type hacia bugs/search.... • http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 45%CPEs: 4EXPL: 4CVE-2014-2238 – MantisBT Admin SQL Injection Arbitrary File Read
https://notcve.org/view.php?id=CVE-2014-2238
03 Mar 2014 — SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter. Vulnerabilidad de inyección SQL en la página "manage configuration" (adm_config_report.php) en MantisBT 1.2.13 hasta 1.2.16 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro filter_config_id. Versions 1.2.13 through 1.2.16 are... • https://packetstorm.news/files/id/180677 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 1CVE-2014-1608 – Debian Security Advisory 3030-1
https://notcve.org/view.php?id=CVE-2014-1608
09 Feb 2014 — SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request. Vulnerabilidad de inyección SQL en la función mci_file_get en api/soap/mc_file_api.php en MantisBT anterior a 1.2.16 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de una etiqueta envolvente manipulada en una solicitud mc_issue_attachment_get SOAP. ... • http://osvdb.org/103118 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 1CVE-2014-1609 – Debian Security Advisory 3030-1
https://notcve.org/view.php?id=CVE-2014-1609
09 Feb 2014 — Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (... • http://secunia.com/advisories/61432 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 55EXPL: 1CVE-2013-4460
https://notcve.org/view.php?id=CVE-2013-4460
10 Jan 2014 — Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject arbitrary web script or HTML via a project name. Vulnerabilidad cross-site scripting (XSS) en account_sponsor_page.php de MantisBT 1.0.0 hasta 1.2.15 permite a usuarios remotos autenticados inyectar script web o HTML de forma arbitraria a través de un nombre de proyecto. • http://osvdb.org/98823 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 62EXPL: 0CVE-2012-5522
https://notcve.org/view.php?id=CVE-2012-5522
16 Nov 2012 — MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. MantisBT antes de v1.2.12 no utiliza un valor por defecto esperado durante las decisiones sobre si un usuario puede modificar el estado de un bug, lo que permite a usuarios remotos autenticados eludir restricciones de acces... • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.5EPSS: 0%CPEs: 62EXPL: 0CVE-2012-5523
https://notcve.org/view.php?id=CVE-2012-5523
16 Nov 2012 — core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. core/email_api.php en MantisBT antes de v1.2.12 no gestiona adecuadamente el envío de notificaciones por correo electrónico sobre bugs restringidos, lo que podría permitir a usuarios remotos autenticados obtener información confidencial ... • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 1%CPEs: 46EXPL: 1CVE-2012-1118
https://notcve.org/view.php?id=CVE-2012-1118
29 Jun 2012 — The access_has_bug_level function in core/access_api.php in MantisBT before 1.2.9 does not properly restrict access when the private_bug_view_threshold is set to an array, which allows remote attackers to bypass intended restrictions and perform certain operations on private bug reports. La función access_has_bug_level de core/access_api.php de MantisBT anteriores a 1.2.9 no restringe el acceso apropiadamente si private_bug_view_threshold es configurado a un array, lo que permite a atacantes remotos evitar ... • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.4EPSS: 3%CPEs: 59EXPL: 1CVE-2012-1119
https://notcve.org/view.php?id=CVE-2012-1119
29 Jun 2012 — MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection. MantisBT anteriores a 1.2.9 no audita la acción de un usuario de copiar o clonar un reporte de bug, lo que facilita a atacantes remotos copiar reportes de bug sin detección. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html • CWE-264: Permissions, Privileges, and Access Controls •