Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mantisbt
(Mantisbt)Repositories | https://github.com/mantisbt/mantisbt |
#Vulnerabilities | 110 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2012-06-29 | CVE-2012-1119 | MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection. | Mantisbt | N/A | ||
2012-11-16 | CVE-2012-5523 | core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. | Mantisbt | N/A | ||
2012-11-16 | CVE-2012-5522 | MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. | Mantisbt | N/A | ||
2012-06-17 | CVE-2012-2692 | MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments. | Mantisbt | N/A | ||
2012-06-29 | CVE-2012-1123 | The mci_check_login function in api/soap/mc_api.php in the SOAP API in MantisBT before 1.2.9 allows remote attackers to bypass authentication via a null password. | Mantisbt | N/A | ||
2012-06-17 | CVE-2012-2691 | The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request. | Mantisbt | N/A | ||
2020-12-30 | CVE-2020-28413 | In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP. | Mantisbt | 6.5 | ||
2020-09-30 | CVE-2020-25830 | An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php. | Mantisbt | 4.8 | ||
2020-09-30 | CVE-2020-25288 | An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript. | Mantisbt | 4.8 | ||
2020-08-12 | CVE-2020-16266 | An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it). | Mantisbt | N/A |