CVE-2014-9272 (cross-side scripting)
The function "string_insert_hrefs" doesn’t validate the protocol, which
is why one can make a link that executes arbitrary JavaScript code.
CVE-2014-9270 (cross-side scripting)
The Projax library does not properly escape html strings. An attacker
could take advantage of this to perform an XSS attack using the
profile/Platform field.
CVE-2014-8987 (cross-side scripting)
The MantisBT Configuration Report page (adm_config_report.php) did not
escape a parameter before displaying it on the page, allowing an
attacker to execute arbitrary JavaScript code.
CVE-2014-9271 (cross-side scripting)
It’s possible to upload Flash files and make open them inline by using
an image extension. Since Flash files can execute JavaScript this
becomes a persistent XSS.
CVE-2014-9281 (cross-side scripting)
A missing sanity check in copy_field.php is leading to a reflected XSS
vulnerability which could be exploited f.e. by the dest_id parameter.
CVE-2014-8986 (cross-side scripting)
Cross-site scripting (XSS) vulnerability in the selection list in the
filters in the Configuration Report page (adm_config_report.php) allows
remote administrators to inject arbitrary web script or HTML via a
crafted config option.
CVE-2014-9269 (cross-side scripting)
Extended project browser allows projects to be passed in as A;B.
helper_get_current_project() and helper_get_current_project_trace() then
explodes the string by ‘;’ and doesn’t check that A is an int
(representing a project/sub-project id).
Finally, print_extended_project_browser() prints the result of the split
into a JavaScript array.
CVE-2014-9280 (code execution)
PHP Object Injection in filter API in the function
current_user_get_bug_filter (core\current_user_api.php line 212). The
code loads a variable from $_GET[‘filter’]/$_POST[‘filter’] and if it’s
not numeric, feeds it straight into unserialize() on line 223.
The current_user_get_bug_filter function is called in 10 places, easiest
is just to access /view_filters_page.php.
A PoC initializing a class that’s loaded could look like this:
/view_filters_page.php?filter=O:16:"MantisPHPSession":2:{s:2:"id";s:1:"1";s:3:"key";s:3:"wee";}
CVE-2014-9089 (sql injection)
Multiple SQL injection vulnerabilities in view_all_bug_page.php in
MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL
commands via the ‘sort’ or ‘dir’ parameter to view_all_set.php.
Both parameters are split into chunks on ‘,’. After splitting, only the
first two values are validated. By supplying a third value, SQL
injection can be performed.
CVE-2014-9279 (information disclosure)
Database credentials leak via unattended upgrade script will connect to
arbitrary host with the current DB config credentials. The unattended
upgrade script retrieved DB connection settings from POST parameters,
allowing an attacker to get the script to connect to their host with the
current DB config credentials.
CVE-2014-8988 (information disclosure)
It is possible to bypass the $g_download_attachments_threshold and
$g_view_attachments_threshold restrictions and read attachments for
private projects by leveraging access to a project that does not
restrict access to attachments and a request to the download URL.
CVE-2014-8553 (information disclosure)
No public information is available yet.
CVE-2014-6387 (authentication bypass)
A flaw in gpc_api.php allows remote attackers to bypass authentication
via a password starting will a null byte, which triggers an
unauthenticated bind. A malicious user can exploit this vulnerability to
login as any registered user and without knowing their password, to
systems relying on LDAP for user authentication (e.g. Active Directory
or OpenLDAP with "allow bind_anon_cred").
CVE-2014-6316 (cross-site redirection)
When Mantis is installed at the web server’s root, $g_short_path is set
to ‘/’. string_sanitize_url() removes the trailing ‘/’ from the short
path, which causes the URL to be incorrectly categorized as "type 2",
thus allowing cross-site redirection to occur.
CVE-2014-9117 (captcha bypass)
MantisBT before 1.2.18 uses the public_key parameter value as the key to
the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA
protection mechanism by leveraging knowledge of a CAPTCHA answer for a
public_key parameter value, as demonstrated by E4652 for the public_key
value 0.
seclists.org/oss-sec/2014/q4/955
access.redhat.com/security/cve/CVE-2014-6316
access.redhat.com/security/cve/CVE-2014-8987
access.redhat.com/security/cve/CVE-2014-9269
access.redhat.com/security/cve/CVE-2014-9270
access.redhat.com/security/cve/CVE-2014-9271
access.redhat.com/security/cve/CVE-2014-9272
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8553
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9279
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9280
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9281
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6387
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8986
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8988
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9089
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9117
www.mantisbt.org/bugs/changelog_page.php?version_id=191
www.mantisbt.org/bugs/view.php?id=17243
www.mantisbt.org/bugs/view.php?id=17297
www.mantisbt.org/bugs/view.php?id=17583
www.mantisbt.org/bugs/view.php?id=17640
www.mantisbt.org/bugs/view.php?id=17648
www.mantisbt.org/bugs/view.php?id=17742
www.mantisbt.org/bugs/view.php?id=17811
www.mantisbt.org/bugs/view.php?id=17841
www.mantisbt.org/bugs/view.php?id=17870
www.mantisbt.org/bugs/view.php?id=17874
www.mantisbt.org/bugs/view.php?id=17875
www.mantisbt.org/bugs/view.php?id=17876
www.mantisbt.org/bugs/view.php?id=17877
www.mantisbt.org/bugs/view.php?id=17889
www.mantisbt.org/bugs/view.php?id=17890