CVSS: 9.8EPSS: 67%CPEs: 1EXPL: 1CVE-2014-8598 – Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection
https://notcve.org/view.php?id=CVE-2014-8598
18 Nov 2014 — The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code. El plugin XML Import/Export en MantisBT 1.2.x no restringe el acceso, lo que permite a atacantes remotos (1) subir código XML arbitrario mediante la página 'import' o (2) obtener información sensible mediante la pág... • https://www.exploit-db.com/exploits/41685 • CWE-19: Data Processing Errors •
CVSS: 9.8EPSS: 80%CPEs: 1EXPL: 4CVE-2014-7146 – Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection
https://notcve.org/view.php?id=CVE-2014-7146
18 Nov 2014 — The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier. El plugin XmlImportExport en MantisBT 1.2.15 y versiones anteriores, permite a atacantes remotos ejecutar código arbitrario PHP a mediante campos de descripción o modificaciones en el atributo issuelink en ficheros XML, que no es... • https://packetstorm.news/files/id/129143 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 75EXPL: 2CVE-2014-8554 – Debian Security Advisory 3120-1
https://notcve.org/view.php?id=CVE-2014-8554
13 Nov 2014 — SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1609. Una vulnerabilidad de inyección SQL en la función mc_project_get_attachments en api/soap/mc_project_api.php en MantisBT anterior a 1.2.18 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del par... • http://seclists.org/oss-sec/2014/q4/479 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 23EXPL: 1CVE-2014-6387
https://notcve.org/view.php?id=CVE-2014-6387
22 Oct 2014 — gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind. gpc_api.php en MantisBT 1.2.17 y anteriores permite a atacantes remotos evadir la autenticación a través de una contraseña que empiece por un byte nulo, lo que provoca un bind no autenticado. • http://www.mantisbt.org/bugs/view.php?id=17640 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 2CVE-2013-1883
https://notcve.org/view.php?id=CVE-2013-1883
27 May 2014 — Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type. Mantis Bug Tracker (también conocido como MantisBT) 1.2.12 anterior a 1.2.15 permite a atacantes remotos causar una denegación de servicio (consumo de recursos) a través de un filtro que utiliza un criterio, búsqueda de texto y el tipo de coincidencia 'cualquier condición'. • http://www.mantisbt.org/bugs/view.php?id=15573 • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2013-1810
https://notcve.org/view.php?id=CVE-2013-1810
15 May 2014 — Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the summary_print_by_category function or (2) project name in the summary_print_by_project function. Múltiples vulnerabilidades de XSS en core/summary_api.php en MantisBT 1.2.12 permiten a usuarios remotos autenticados con permisos de gestor o administrador inyectar secuencia... • http://seclists.org/oss-sec/2013/q1/127 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2013-0197
https://notcve.org/view.php?id=CVE-2013-0197
15 May 2014 — Cross-site scripting (XSS) vulnerability in the filter_draw_selection_area2 function in core/filter_api.php in MantisBT 1.2.12 before 1.2.13 allows remote attackers to inject arbitrary web script or HTML via the match_type parameter to bugs/search.php. Vulnerabilidad de XSS en la función filter_draw_selection_area2 en core/filter_api.php en MantisBT 1.2.12 anterior a 1.2.13 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro match_type hacia bugs/search.... • http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 45%CPEs: 4EXPL: 4CVE-2014-2238 – MantisBT Admin SQL Injection Arbitrary File Read
https://notcve.org/view.php?id=CVE-2014-2238
03 Mar 2014 — SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter. Vulnerabilidad de inyección SQL en la página "manage configuration" (adm_config_report.php) en MantisBT 1.2.13 hasta 1.2.16 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro filter_config_id. Versions 1.2.13 through 1.2.16 are... • https://packetstorm.news/files/id/180677 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 1CVE-2014-1608 – Debian Security Advisory 3030-1
https://notcve.org/view.php?id=CVE-2014-1608
09 Feb 2014 — SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request. Vulnerabilidad de inyección SQL en la función mci_file_get en api/soap/mc_file_api.php en MantisBT anterior a 1.2.16 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de una etiqueta envolvente manipulada en una solicitud mc_issue_attachment_get SOAP. ... • http://osvdb.org/103118 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 1CVE-2014-1609 – Debian Security Advisory 3030-1
https://notcve.org/view.php?id=CVE-2014-1609
09 Feb 2014 — Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (... • http://secunia.com/advisories/61432 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •