CVSS: 2.6EPSS: 0%CPEs: 42EXPL: 0CVE-2014-9269
https://notcve.org/view.php?id=CVE-2014-9269
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie. Vulnerabilidad de XSS en helper_api.php en MantisBT 1.1.0a1 hasta 1.2.x anterior a 1.2.18, cuando el navegador de proyectos extendidos está habilitado, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la cookie de proyectos. • http://seclists.org/oss-sec/2014/q4/867 http://seclists.org/oss-sec/2014/q4/902 http://secunia.com/advisories/62101 http://www.debian.org/security/2015/dsa-3120 https://github.com/mantisbt/mantisbt/commit/511564cc https://www.mantisbt.org/bugs/view.php?id=17890 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 40EXPL: 1CVE-2014-9271
https://notcve.org/view.php?id=CVE-2014-9271
Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. Vulnerabilidad de XSS en file_download.php en MantisBT anterior a 1.2.18 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un fichero Flash con un extensión de imagen, relacionado con adjuntos de línea interior (inline), tal y como fue demostrado por un nombre de fichero .swf.jpeg. • http://seclists.org/oss-sec/2014/q4/867 http://seclists.org/oss-sec/2014/q4/902 http://seclists.org/oss-sec/2014/q4/924 http://secunia.com/advisories/62101 http://www.debian.org/security/2015/dsa-3120 https://github.com/mantisbt/mantisbt/commit/9fb8cf36f https://www.mantisbt.org/bugs/view.php?id=17874 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 40EXPL: 0CVE-2014-9272
https://notcve.org/view.php?id=CVE-2014-9272
The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. La función string_insert_href en MantisBT 1.2.0a1 hasta 1.2.x anterior a 1.2.18 no valida correctamente el protocolo de URLs, lo que permite a atacantes remotos realizar ataques de XSS a través del protocolo javascript://. • http://seclists.org/oss-sec/2014/q4/867 http://seclists.org/oss-sec/2014/q4/902 http://secunia.com/advisories/62101 http://www.debian.org/security/2015/dsa-3120 https://github.com/mantisbt/mantisbt/commit/05378e00 https://www.mantisbt.org/bugs/view.php?id=17297 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9506
https://notcve.org/view.php?id=CVE-2014-9506
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. MantisBT anterior a 1.2.18 no comprueba correctamente los permisos cuando envía una email que indica cuando un problema monitorizado está relacionado con otro problema, lo que permite a usuarios remotos autenticados obtener información sensible sobre los problemas restringidos. • http://seclists.org/oss-sec/2014/q4/955 http://secunia.com/advisories/62101 http://www.debian.org/security/2015/dsa-3120 https://www.mantisbt.org/bugs/changelog_page.php?version_id=191 https://www.mantisbt.org/bugs/view.php?id=9885 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9388
https://notcve.org/view.php?id=CVE-2014-9388
bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter. bug_report.php en MantisBT anterior a 1.2.18 permite a atacantes remotos a asignar código arbitrario mediante el parámetro handler_id. • http://seclists.org/oss-sec/2014/q4/955 http://secunia.com/advisories/62101 http://www.debian.org/security/2015/dsa-3120 https://www.mantisbt.org/bugs/changelog_page.php?version_id=191 https://www.mantisbt.org/bugs/view.php?id=17878 • CWE-284: Improper Access Control •