CVE-2014-2238

Name of the Vulnerable Software and Affected Versions MantisBT versions 1.2.13 through 1.2.16

Description The issue allows remote authenticated administrators to execute arbitrary SQL commands. This is achieved via the filter config id parameter in the manage configuration page, specifically in the adm config report.php file.

Recommendations For versions 1.2.13 through 1.2.16, update to a version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the adm config report.php page and avoid using the filter config id parameter until the issue is resolved.