CVE-2014-1608

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 1.2.16

Description The issue allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a "mc issue attachment get" SOAP request. This is due to a SQL injection vulnerability in the mci file get function in api/soap/mc file api.php.

Recommendations For versions prior to 1.2.16, update to version 1.2.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the mci file get function in api/soap/mc file api.php to minimize the risk of exploitation. Avoid using crafted envelope tags in mc issue attachment get SOAP requests until the issue is resolved.