Grangeway

#13891of 53,624
19.3Total CVSS
Vulnerabilities · 4
Medium
4
PT-2017-6390
4.3
2017-08-09
Mantisbt · Mantisbt · CVE-2014-9701
**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.2.19 MantisBT versions 1.3.x prior to 1.3.0-beta.2 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `url` parameter to "permalink page.php". **Recommendations** For MantisBT versions prior to 1.2.19, update to version 1.2.19 or later. For MantisBT versions 1.3.x prior to 1.3.0-beta.2, update to version 1.3.0-beta.2 or later.
PT-2016-3509
5.0
2016-04-11
Mantisbt · Mantisbt · CVE-2014-9759
**Name of the Vulnerable Software and Affected Versions** MantisBT versions 1.3.x before 1.3.0 **Description** The issue allows remote attackers to obtain sensitive master salt configuration information via a SOAP API request due to an incomplete blacklist vulnerability in the config is private function in config api.php. **Recommendations** For versions 1.3.x before 1.3.0, update to version 1.3.0 or later to resolve the issue.
PT-2014-8614
5.0
2014-12-17
Mantisbt · Mantisbt · CVE-2014-8553
**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.2.18 **Description** The issue allows remote attackers to obtain sensitive information. This can be achieved via specific SOAP requests, including `mc project get users`, `mc issue get`, `mc filter get issues`, or `mc project get issues`. The `mci account get array by id` function in `api/soap/mc account api.php` is involved in this issue. **Recommendations** For versions prior to 1.2.18, update to version 1.2.18 or later to resolve the issue. As a temporary workaround, consider restricting access to the `mci account get array by id` function in `api/soap/mc account api.php` until a patch is applied. Additionally, limit the use of the affected SOAP requests to minimize the risk of exploitation.
PT-2014-8980
5.0
2014-12-17
Mantisbt · Mantisbt · CVE-2014-9388
**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.2.18 **Description** The issue allows remote attackers to assign arbitrary issues. This is achieved via the `handler id` parameter in the "bug report.php" file. **Recommendations** For versions prior to 1.2.18, update to version 1.2.18 or later to resolve the issue. As a temporary workaround, consider restricting access to the "bug report.php" file to minimize the risk of exploitation. Avoid using the `handler id` parameter in the affected file until the issue is resolved.