Filtered by vendor Mantisbt
Subscriptions
Filtered by product Mantisbt
Subscriptions
Total
114 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2014-9089 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2025-04-12 | N/A |
Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to view_all_set.php. | ||||
CVE-2014-9280 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter. | ||||
CVE-2014-8553 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. | ||||
CVE-2014-2238 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter. | ||||
CVE-2013-0197 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
Cross-site scripting (XSS) vulnerability in the filter_draw_selection_area2 function in core/filter_api.php in MantisBT 1.2.12 before 1.2.13 allows remote attackers to inject arbitrary web script or HTML via the match_type parameter to bugs/search.php. | ||||
CVE-2014-8554 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1609. | ||||
CVE-2014-9271 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2025-04-12 | 5.4 Medium |
Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. | ||||
CVE-2014-9269 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2025-04-12 | N/A |
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie. | ||||
CVE-2014-9270 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field. | ||||
CVE-2014-9388 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter. | ||||
CVE-2014-9506 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. | ||||
CVE-2014-8986 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987. | ||||
CVE-2014-8987 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
Cross-site scripting (XSS) vulnerability in the "set configuration" box in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via the config_option parameter, a different vulnerability than CVE-2014-8986. | ||||
CVE-2013-1810 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the summary_print_by_category function or (2) project name in the summary_print_by_project function. | ||||
CVE-2014-8598 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code. | ||||
CVE-2014-8988 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL. | ||||
CVE-2014-9759 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
Incomplete blacklist vulnerability in the config_is_private function in config_api.php in MantisBT 1.3.x before 1.3.0 allows remote attackers to obtain sensitive master salt configuration information via a SOAP API request. | ||||
CVE-2014-9281 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field. | ||||
CVE-2014-1608 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2025-04-12 | N/A |
SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request. | ||||
CVE-2014-9573 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | N/A |
SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. |