Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
mantisbt vulnerabilities and exploits
(subscribe to this query)
4.8
CVSSv3
CVE-2020-25288
An issue exists in MantisBT prior to 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, e...
Mantisbt Mantisbt
4.3
CVSSv3
CVE-2020-25781
An issue exists in file_download.php in MantisBT prior to 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
Mantisbt Mantisbt
5.4
CVSSv3
CVE-2022-33910
An XSS vulnerability in MantisBT prior to 2.25.5 allows remote malicious users to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a ...
Mantisbt Mantisbt
1 Github repository
NA
CVE-2014-8553
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT prior to 1.2.18 allows remote malicious users to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request.
Mantisbt Mantisbt
NA
CVE-2014-8598
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote malicious users to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execu...
Mantisbt Mantisbt
1 EDB exploit
6.1
CVSSv3
CVE-2019-15539
The proj_doc_edit_page.php Project Documentation feature in MantisBT prior to 2.21.3 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed...
Mantisbt Mantisbt
6.1
CVSSv3
CVE-2017-7222
A cross-site scripting (XSS) vulnerability in MantisBT prior to 2.1.1 allows remote malicious users to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration. This requires privileged ...
Mantisbt Mantisbt
6.5
CVSSv3
CVE-2020-29604
An issue exists in MantisBT prior to 2.24.4. A missing access check in bug_actiongroup.php allows an attacker (with rights to create new issues) to use the COPY group action to create a clone, including all bugnotes and attachments, of any private issue (i.e., one having Private ...
Mantisbt Mantisbt
4.3
CVSSv3
CVE-2020-29603
In manage_proj_edit_page.php in MantisBT prior to 2.24.4, any unprivileged logged-in user can retrieve Private Projects' names via the manage_proj_edit_page.php project_id parameter, without having access to them.
Mantisbt Mantisbt
9.6
CVSSv3
CVE-2019-15074
The Timeline feature in my_view_page.php in MantisBT up to and including 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for ...
Mantisbt Mantisbt
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463
CVE-2024-29895
inject
CVE-2023-52689
CVE-2024-5049
CVE-2024-5051
privilege escalation
physical
CVE-2023-52676
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
4
5
6
7
8
9
10
NEXT »