CVE-2014-1609

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 1.2.16

Description The issue allows remote attackers to execute arbitrary SQL commands via unspecified parameters to various functions, including mc project get attachments in api/soap/mc project api.php, news get limited rows in core/news api.php, and several functions in core/summary api.php and plugins/MantisGraph/core/graph api.php. This is related to the use of the db query function.

Recommendations For versions prior to 1.2.16, update to version 1.2.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints and functions, such as /api/soap/mc project api.php and core/news api.php, until a patch is available. Avoid using unspecified parameters in the affected functions until the issue is resolved.