The "View Bugs" page (view_all_bug_page.php) in Mantis 0.17.4a and earlier includes summaries of private bugs for users that do not have access to any projects.
Max CVSS
7.5
EPSS Score
0.25%
Published
2002-10-04
Updated
2017-10-10
Mantis 0.17.4a and earlier allows remote attackers to view private bugs by modifying the f_id bug ID parameter to (1) bug_update_advanced_page.php, (2) bug_update_page.php, (3) view_bug_advanced_page.php, or (4) view_bug_page.php.
Max CVSS
5.0
EPSS Score
0.35%
Published
2002-10-04
Updated
2016-10-18
config_inc2.php in Mantis before 0.17.4 allows remote attackers to execute arbitrary code or read arbitrary files via the parameters (1) g_bottom_include_page, (2) g_top_include_page, (3) g_css_include_file, (4) g_meta_include_file, or (5) a cookie.
Max CVSS
7.5
EPSS Score
1.60%
Published
2002-10-04
Updated
2016-10-18
summary_graph_functions.php in Mantis 0.17.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the g_jpgraph_path parameter to reference the location of the PHP code.
Max CVSS
7.5
EPSS Score
7.45%
Published
2002-10-04
Updated
2017-10-10
Mantis before 0.17.4 allows remote attackers to list project bugs without authentication by modifying the cookie that is used by the "View Bugs" page.
Max CVSS
5.0
EPSS Score
0.38%
Published
2002-10-04
Updated
2017-10-10
print_all_bug_page.php in Mantis 0.17.3 and earlier does not verify the limit_reporters option, which allows remote attackers to view bug summaries for bugs that would otherwise be restricted.
Max CVSS
5.0
EPSS Score
0.38%
Published
2002-10-04
Updated
2017-10-10
Multiple SQL injection vulnerabilities in Mantis 0.17.2 and earlier, when running without magic_quotes_gpc enabled, allows remote attackers to gain privileges or perform unauthorized database operations via modified form fields, e.g. to account_update.php.
Max CVSS
10.0
EPSS Score
0.28%
Published
2002-10-04
Updated
2016-10-18
7 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!