Filtered by vendor Mantisbt
Subscriptions
Total
115 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-6799 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| A cross-site scripting (XSS) vulnerability in view_filters_page.php in MantisBT before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'view_type' parameter. | ||||
| CVE-2017-6797 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| A cross-site scripting (XSS) vulnerability in bug_change_status_page.php in MantisBT before 1.3.7 and 2.x before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'action_type' parameter. | ||||
| CVE-2017-12419 | 3 Mantisbt, Mariadb, Mysql | 3 Mantisbt, Mariadb, Mysql | 2024-11-21 | N/A |
| If, after successful installation of MantisBT through 2.5.2 on MySQL/MariaDB, the administrator does not remove the 'admin' directory (as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide), and the MySQL client has a local_infile setting enabled (in php.ini mysqli.allow_local_infile, or the MySQL client config file, depending on the PHP setup), an attacker may take advantage of MySQL's "connect file read" feature to remotely access files on the MantisBT server. | ||||
| CVE-2017-12062 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled. | ||||
| CVE-2017-12061 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | 6.1 Medium |
| An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP. | ||||
| CVE-2016-7111 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. | ||||
| CVE-2016-6837 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.0-beta1 allows remote attackers to inject arbitrary web script or HTML via the 'view_type' parameter. | ||||
| CVE-2016-5364 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter. | ||||
| CVE-2015-5059 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| The "Project Documentation" feature in MantisBT 1.2.19 and earlier, when the threshold to access files ($g_view_proj_doc_threshold) is set to ANYBODY, allows remote authenticated users to download attachments linked to arbitrary private projects via a file id number in the file_id parameter to file_download.php. | ||||
| CVE-2015-2046 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later before 1.2.20. | ||||
| CVE-2015-1042 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to login_page.php, a different vulnerability than CVE-2014-6316. | ||||
| CVE-2014-9759 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| Incomplete blacklist vulnerability in the config_is_private function in config_api.php in MantisBT 1.3.x before 1.3.0 allows remote attackers to obtain sensitive master salt configuration information via a SOAP API request. | ||||
| CVE-2014-9701 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter to permalink_page.php. | ||||
| CVE-2014-9624 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| CAPTCHA bypass vulnerability in MantisBT before 1.2.19. | ||||
| CVE-2014-9573 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. | ||||
| CVE-2014-9572 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. | ||||
| CVE-2014-9571 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. | ||||
| CVE-2014-9506 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. | ||||
| CVE-2014-9388 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter. | ||||
| CVE-2014-9281 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field. | ||||