Filtered by vendor Mantisbt
Subscribe
Total
119 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-9281 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field. | |||||
| CVE-2014-9272 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2025-04-12 | 4.3 MEDIUM | N/A |
| The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. | |||||
| CVE-2015-1042 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 5.8 MEDIUM | N/A |
| The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to login_page.php, a different vulnerability than CVE-2014-6316. | |||||
| CVE-2013-1883 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 5.0 MEDIUM | N/A |
| Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type. | |||||
| CVE-2014-6316 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 5.8 MEDIUM | N/A |
| core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php. | |||||
| CVE-2014-8988 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 4.0 MEDIUM | N/A |
| MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL. | |||||
| CVE-2014-9388 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 5.0 MEDIUM | N/A |
| bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter. | |||||
| CVE-2014-8553 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 5.0 MEDIUM | N/A |
| The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. | |||||
| CVE-2014-9089 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2025-04-12 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to view_all_set.php. | |||||
| CVE-2014-9506 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 3.5 LOW | N/A |
| MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. | |||||
| CVE-2014-7146 | 1 Mantisbt | 1 Mantisbt | 2025-04-12 | 7.5 HIGH | N/A |
| The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier. | |||||
| CVE-2011-3358 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script or HTML via the (1) os, (2) os_build, or (3) platform parameter to (a) bug_report_page.php or (b) bug_update_advanced_page.php, related to use of the Projax library. | |||||
| CVE-2012-1120 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 3.6 LOW | N/A |
| The SOAP API in MantisBT before 1.2.9 does not properly enforce the bugnote_allow_user_edit_delete and delete_bug_threshold permissions, which allows remote authenticated users with read and write SOAP API privileges to delete arbitrary bug reports and bug notes. | |||||
| CVE-2013-4460 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject arbitrary web script or HTML via a project name. | |||||
| CVE-2012-1118 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 4.3 MEDIUM | N/A |
| The access_has_bug_level function in core/access_api.php in MantisBT before 1.2.9 does not properly restrict access when the private_bug_view_threshold is set to an array, which allows remote attackers to bypass intended restrictions and perform certain operations on private bug reports. | |||||
| CVE-2010-2802 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.2 allows remote authenticated users to inject arbitrary web script or HTML via an HTML document with a .gif filename extension, related to inline attachments. | |||||
| CVE-2010-4350 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 5.1 MEDIUM | N/A |
| Directory traversal vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the db_type parameter, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. | |||||
| CVE-2010-4348 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to inject arbitrary web script or HTML via the db_type parameter, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. | |||||
| CVE-2012-1119 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 6.4 MEDIUM | N/A |
| MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection. | |||||
| CVE-2012-1121 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 4.9 MEDIUM | N/A |
| MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1) modify or (2) delete global categories. | |||||