CVE-2014-6316 - Vulnerability Details - OpenCVE

Description

core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.

Published: 2014-12-12

Score: 5.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-3120-1	mantis security update
EUVD	EUVD-2014-6200	core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00605.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://seclists.org/oss-sec/2014/q4/931
http://secunia.com/advisories/62101
http://www.debian.org/security/2015/dsa-3120
http://www.openwall.com/lists/oss-security/2014/12/03/11
http://www.securityfocus.com/bid/71478
https://exchange.xforce.ibmcloud.com/vulnerabilities/99128
https://github.com/mantisbt/mantisbt/commit/e66ecc9f
https://www.mantisbt.org/bugs/view.php?id=17648

History

No history.

Subscriptions

Mantisbt Mantisbt

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-12-12T11:00:00.000Z

Updated: 2024-08-06T12:10:13.283Z

Reserved: 2014-09-11T00:00:00.000Z

Link: CVE-2014-6316

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-12-12T11:59:03.610

Modified: 2026-05-06T22:30:45.220

Link: CVE-2014-6316

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-12-02T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-07T15:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.mantisbt.org/bugs/view.php?id=17648"}, {"name": "mantisbt-cve20146316-open-redirect(99128)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99128"}, {"name": "71478", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/71478"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mantisbt/mantisbt/commit/e66ecc9f"}, {"name": "[oss-security] 20141205 RE: CVE-2014-6316: URL redirection issue in MantisBT", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q4/931"}, {"name": "[oss-security] 20141202 CVE-2014-6316: URL redirection issue in MantisBT", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/12/03/11"}, {"name": "62101", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/62101"}, {"name": "DSA-3120", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3120"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-6316", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.mantisbt.org/bugs/view.php?id=17648", "refsource": "CONFIRM", "url": "https://www.mantisbt.org/bugs/view.php?id=17648"}, {"name": "mantisbt-cve20146316-open-redirect(99128)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99128"}, {"name": "71478", "refsource": "BID", "url": "http://www.securityfocus.com/bid/71478"}, {"name": "https://github.com/mantisbt/mantisbt/commit/e66ecc9f", "refsource": "CONFIRM", "url": "https://github.com/mantisbt/mantisbt/commit/e66ecc9f"}, {"name": "[oss-security] 20141205 RE: CVE-2014-6316: URL redirection issue in MantisBT", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q4/931"}, {"name": "[oss-security] 20141202 CVE-2014-6316: URL redirection issue in MantisBT", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/12/03/11"}, {"name": "62101", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/62101"}, {"name": "DSA-3120", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3120"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T12:10:13.283Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mantisbt.org/bugs/view.php?id=17648"}, {"name": "mantisbt-cve20146316-open-redirect(99128)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99128"}, {"name": "71478", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/71478"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mantisbt/mantisbt/commit/e66ecc9f"}, {"name": "[oss-security] 20141205 RE: CVE-2014-6316: URL redirection issue in MantisBT", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q4/931"}, {"name": "[oss-security] 20141202 CVE-2014-6316: URL redirection issue in MantisBT", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/12/03/11"}, {"name": "62101", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/62101"}, {"name": "DSA-3120", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3120"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-6316", "datePublished": "2014-12-12T11:00:00.000Z", "dateReserved": "2014-09-11T00:00:00.000Z", "dateUpdated": "2024-08-06T12:10:13.283Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*", "matchCriteriaId": "5761D76C-7109-4E94-AEC3-3A6419429A91", "versionEndIncluding": "1.2.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php."}, {"lang": "es", "value": "core/string_api.php en MantisBT anterior a 1.2.18 no categoriza correctamente las URLs cuando funciona bajo el root web, lo que permite a atacantes remotos realizar ataques de redirecci\u00f3n abierta y phishing a trav\u00e9s de una URL manipulada en el par\u00e1metro return en login_page.php."}], "id": "CVE-2014-6316", "lastModified": "2026-05-06T22:30:45.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-12-12T11:59:03.610", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/oss-sec/2014/q4/931"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/62101"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2015/dsa-3120"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2014/12/03/11"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/71478"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99128"}, {"source": "cve@mitre.org", "url": "https://github.com/mantisbt/mantisbt/commit/e66ecc9f"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.mantisbt.org/bugs/view.php?id=17648"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://seclists.org/oss-sec/2014/q4/931"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/62101"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2015/dsa-3120"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2014/12/03/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/71478"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99128"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/mantisbt/mantisbt/commit/e66ecc9f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mantisbt.org/bugs/view.php?id=17648"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}