Filtered by vendor Mantisbt
Subscriptions
Filtered by product Mantisbt
Subscriptions
Total
110 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-44394 | 1 Mantisbt | 1 Mantisbt | 2024-09-13 | 4.3 Medium |
MantisBT is an open source bug tracker. Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs. This issue has been addressed in commit `65c44883f` which has been included in release `2.258`. Users are advised to upgrade. Users unable to upgrade should disable wiki integration ( `$g_wiki_enable = OFF;`). | ||||
CVE-2008-3102 | 1 Mantisbt | 1 Mantisbt | 2024-08-07 | N/A |
Mantis 1.1.x through 1.1.2 and 1.2.x through 1.2.0a2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | ||||
CVE-2009-20001 | 1 Mantisbt | 1 Mantisbt | 2024-08-07 | 8.1 High |
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them. | ||||
CVE-2009-2802 | 1 Mantisbt | 1 Mantisbt | 2024-08-07 | 6.1 Medium |
MantisBT 1.2.x before 1.2.2 insecurely handles attachments and MIME types. Arbitrary inline attachment rendering could lead to cross-domain scripting or other browser attacks. | ||||
CVE-2010-4348 | 1 Mantisbt | 1 Mantisbt | 2024-08-07 | N/A |
Cross-site scripting (XSS) vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to inject arbitrary web script or HTML via the db_type parameter, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. | ||||
CVE-2010-4350 | 1 Mantisbt | 1 Mantisbt | 2024-08-07 | N/A |
Directory traversal vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the db_type parameter, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. | ||||
CVE-2010-4349 | 1 Mantisbt | 1 Mantisbt | 2024-08-07 | N/A |
admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to obtain sensitive information via an invalid db_type parameter, which reveals the installation path in an error message, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. | ||||
CVE-2010-3763 | 1 Mantisbt | 1 Mantisbt | 2024-08-07 | N/A |
Cross-site scripting (XSS) vulnerability in core/summary_api.php in MantisBT before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via the Summary field, a different vector than CVE-2010-3303. | ||||
CVE-2010-3303 | 1 Mantisbt | 1 Mantisbt | 2024-08-07 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.3 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) a plugin name, related to manage_plugin_uninstall.php; (2) an enumeration value or (3) a String value of a custom field, related to core/cfdefs/cfdef_standard.php; or a (4) project or (5) category name to print_all_bug_page_word.php. | ||||
CVE-2010-2802 | 1 Mantisbt | 1 Mantisbt | 2024-08-07 | N/A |
Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.2 allows remote authenticated users to inject arbitrary web script or HTML via an HTML document with a .gif filename extension, related to inline attachments. | ||||
CVE-2010-2574 | 1 Mantisbt | 1 Mantisbt | 2024-08-07 | N/A |
Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in MantisBT 1.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the name parameter in an Add Category action. | ||||
CVE-2011-3755 | 1 Mantisbt | 1 Mantisbt | 2024-08-06 | N/A |
MantisBT 1.2.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by view_all_inc.php and certain other files. | ||||
CVE-2011-3578 | 1 Mantisbt | 1 Mantisbt | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in bug_actiongroup_ext_page.php in MantisBT before 1.2.8 allows remote attackers to inject arbitrary web script or HTML via the action parameter, related to bug_actiongroup_page.php, a different vulnerability than CVE-2011-3357. | ||||
CVE-2011-3356 | 1 Mantisbt | 1 Mantisbt | 2024-08-06 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in config_defaults_inc.php in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO, as demonstrated by the PATH_INFO to (1) manage_config_email_page.php, (2) manage_config_workflow_page.php, or (3) bugs/plugin.php. | ||||
CVE-2011-3357 | 1 Mantisbt | 1 Mantisbt | 2024-08-06 | N/A |
Directory traversal vulnerability in bug_actiongroup_ext_page.php in MantisBT before 1.2.8 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter, related to bug_actiongroup_page.php. | ||||
CVE-2011-3358 | 1 Mantisbt | 1 Mantisbt | 2024-08-06 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script or HTML via the (1) os, (2) os_build, or (3) platform parameter to (a) bug_report_page.php or (b) bug_update_advanced_page.php, related to use of the Projax library. | ||||
CVE-2011-2938 | 1 Mantisbt | 1 Mantisbt | 2024-08-06 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in filter_api.php in MantisBT before 1.2.7 allow remote attackers to inject arbitrary web script or HTML via a parameter, as demonstrated by the project_id parameter to search.php. | ||||
CVE-2012-5523 | 1 Mantisbt | 1 Mantisbt | 2024-08-06 | N/A |
core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. | ||||
CVE-2012-5522 | 1 Mantisbt | 1 Mantisbt | 2024-08-06 | N/A |
MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. | ||||
CVE-2012-2692 | 1 Mantisbt | 1 Mantisbt | 2024-08-06 | N/A |
MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments. |