CVE-2014-8598
Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.
El plugin XML Import/Export en MantisBT 1.2.x no restringe el acceso, lo que permite a atacantes remotos (1) subir código XML arbitrario mediante la página 'import' o (2) obtener información sensible mediante la página 'export'. NOTA: este fallo puede ser combinado con la CVE-2014-7146 y ejecutar código PHP arbitrario.
Multiple security issues have been found in the Mantis bug tracking system, which may result in phishing, information disclosure, CAPTCHA bypass, SQL injection, cross-site scripting or the execution of arbitrary PHP code.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-11-04 CVE Reserved
- 2014-11-18 CVE Published
- 2014-11-18 First Exploit
- 2024-08-06 CVE Updated
- 2025-04-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-19: Data Processing Errors
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/62101 | Third Party Advisory | |
| http://www.openwall.com/lists/oss-security/2014/11/07/28 | Mailing List |
|
| http://www.securityfocus.com/bid/70996 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/98573 | Vdb Entry | |
| https://www.mantisbt.org/bugs/view.php?id=17725 | ||
| https://www.mantisbt.org/bugs/view.php?id=17780 |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/41685 | 2014-11-18 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2015/dsa-3120 | 2017-09-08 | |
| http://www.mantisbt.org/bugs/view.php?id=17780 | 2017-09-08 | |
| https://github.com/mantisbt/mantisbt/commit/80a15487 | 2017-09-08 |