CVE-2019-15074
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed.
La función de línea de tiempo en my_view_page.php en MantisBT a través de la versión 2.21.1 tiene una vulnerabilidad de cross-site scripting (XSS) almacenada, lo que permite la ejecución de código arbitrario (si la configuración de CSP lo permite) después de cargar un archivo adjunto con un nombre de archivo creado. El código se ejecuta para cualquier usuario que tenga visibilidad del problema, siempre que se muestre Mi página de vista.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-15 CVE Reserved
- 2019-08-21 CVE Published
- 2023-09-30 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://mantisbt.org/bugs/view.php?id=25995 | 2024-08-05 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/mantisbt/mantisbt/commit/9cee1971c498bbe0a72bca1c773fae50171d8c27 | 2019-09-04 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | >= 2.13.0 <= 2.21.1 Search vendor "Mantisbt" for product "Mantisbt" and version " >= 2.13.0 <= 2.21.1" | - |
Affected
| ||||||