Mantisbt: >> Mantisbt >> 1.2.14 Security Vulnerabilities
An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it).
CVSS Score
5.4
EPSS Score
0.003
Published
2020-08-12
The proj_doc_edit_page.php Project Documentation feature in MantisBT before 2.21.3 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed when editing the document's page.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-03-19
MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the workflow restriction and close issues.
CVSS Score
4.3
EPSS Score
0.007
Published
2019-10-31
A cross-site scripting (XSS) vulnerability in MantisBT 1.2.14 allows remote attackers to inject arbitrary web script or HTML via a version, related to deleting a version.
CVSS Score
6.1
EPSS Score
0.014
Published
2019-10-31
A cross-site scripting (XSS) vulnerability in the configuration report page (adm_config_report.php) in MantisBT 1.2.0rc1 before 1.2.14 allows remote authenticated users to inject arbitrary web script or HTML via a complex value.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-10-31
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
CVSS Score
7.2
EPSS Score
0.242
Published
2019-10-09
An issue was discovered in MantisBT through 1.3.14, and 2.0.0. Using a crafted request on bug_report_page.php (modifying the 'm_id' parameter), any user with REPORTER access or above is able to view any private issue's details (summary, description, steps to reproduce, additional information) when cloning it. By checking the 'Copy issue notes' and 'Copy attachments' checkboxes and completing the clone operation, this data also becomes public (except private notes).
CVSS Score
6.5
EPSS Score
0.002
Published
2019-06-06
view_all_bug_page.php in MantisBT 2.10.0-development before 2018-02-02 allows remote attackers to discover the full path via an invalid filter parameter, related to a filter_ensure_valid_filter call in current_user_api.php.
CVSS Score
5.3
EPSS Score
0.002
Published
2018-02-02
CAPTCHA bypass vulnerability in MantisBT before 1.2.19.
CVSS Score
7.5
EPSS Score
0.006
Published
2017-09-12
Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later before 1.2.20.
CVSS Score
6.1
EPSS Score
0.004
Published
2017-08-28