CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
EPSS
Percentile
82.4%
The remote web server is hosting MantisBT, an open source bug tracking application written in PHP.
Versions of MantisBT 1.2.x prior to 1.2.18 are affected by the following vulnerabilities :
An error exists in the file ‘core/string_api.php’ that could allow open redirect attacks. (CVE-2014-6316)
An input validation flaw exists in ‘helper_api.php’ when the ‘extended project browser’ mode is enabled. This affects the ‘project’ cookie parameter, which could allow remote attackers to inject arbitrary web script or HTML into the page. (CVE-2014-9269)
An input validation error exists in the ‘string_insert_href’ function affecting the URL protocol, allowing a remote attacker to perform cross-site scripting attacks via the ‘javascript://’ protocol. (CVE-2014-9272)
Binary data 8905.prm
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6316
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9269
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9272
www.nessus.org/u?54499621
www.mantisbt.org/blog/?p=301
www.mantisbt.org/bugs/view.php?id=17297
www.mantisbt.org/bugs/view.php?id=17648
www.mantisbt.org/bugs/view.php?id=17890