CVE-2014-9572

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 1.2.19 MantisBT versions 1.3.x prior to 1.3.0-beta.2

Description The issue allows remote attackers to obtain database credentials. This is due to improper access restriction to the "/install.php" API endpoint, specifically when the install parameter is set to 4.

Recommendations For versions prior to 1.2.19, update to version 1.2.19 or later. For versions 1.3.x prior to 1.3.0-beta.2, update to version 1.3.0-beta.2 or later. As a temporary workaround, consider restricting access to the "/install.php" endpoint until a patch is available. Avoid using the install parameter with the value 4 in the affected API endpoint until the issue is resolved.