CVE-2014-7146 (arbitrary code execution)
When importing data with the plugin, user input passed through the
"description" field (and the "issuelink" attribute) of the uploaded XML
file isn’t properly sanitized before being used in a call to the
preg_replace() function which uses the ‘e’ modifier. This can be
exploited to inject and execute arbitrary PHP code when the
Import/Export plugin is installed.
CVE-2014-8598 (unrestricted access, information disclosure)
The bundled XML Import/Export plugin does not perform any access level
checks in the import and export pages. This allows any user knowing the
URL to the plugin’s page to insert or export any (confidential) data
without restriction, regardless of their access level.
This vulnerability is particularly dangerous when used in combination
with the one described above (CVE-2014-7146) as it makes the access
complexity very simple, allowing unauthenticated attackers to execute
arbitrary code.
www.openwall.com/lists/oss-security/2014/11/07/27
www.openwall.com/lists/oss-security/2014/11/07/28
access.redhat.com/security/cve/CVE-2014-7146
access.redhat.com/security/cve/CVE-2014-8598
bugs.archlinux.org/task/42761
github.com/mantisbt/mantisbt/commit/80a15487
github.com/mantisbt/mantisbt/commit/bed19db9