Multiple vulnerabilities in MantisBT

1) Cross-site scripting

EUVDB-ID: #VU40668

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-8987

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote administrators to inject arbitrary web script or HTML via the config_option parameter, a different vulnerability than CVE-2014-8986.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MantisBT: 1.2.13 - 1.2.17

CPE2.3

External links

https://www.mantisbt.org/bugs/view.php?id=17870
https://www.openwall.com/lists/oss-security/2014/11/14/9
https://www.openwall.com/lists/oss-security/2014/11/15/2
https://www.openwall.com/lists/oss-security/2014/11/15/3
https://www.openwall.com/lists/oss-security/2014/11/15/4
https://www.openwall.com/lists/oss-security/2014/11/19/21
https://github.com/mantisbt/mantisbt/commit/49c3d089

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU41027

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-9279

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MantisBT: 1.0.0 - 1.2.17

CPE2.3

External links

https://seclists.org/oss-sec/2014/q4/863
https://www.mantisbt.org/bugs/view.php?id=17877
https://www.securityfocus.com/bid/71359
https://exchange.xforce.ibmcloud.com/vulnerabilities/99031
https://github.com/mantisbt/mantisbt/commit/0826cef8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

EUVDB-ID: #VU41028

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-9270

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MantisBT: 1.0.0 - 1.2.17

CPE2.3

External links

https://seclists.org/oss-sec/2014/q4/867
https://seclists.org/oss-sec/2014/q4/902
https://secunia.com/advisories/62101
https://www.debian.org/security/2015/dsa-3120
https://www.securityfocus.com/bid/71372
https://exchange.xforce.ibmcloud.com/vulnerabilities/99037
https://github.com/mantisbt/mantisbt/commit/0bff06ec
https://www.mantisbt.org/bugs/view.php?id=17583

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU41065

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-8988

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote #AU# to gain access to sensitive information.

MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MantisBT: 1.2.17

CPE2.3

cpe:2.3:a:mantisbt_sourceforge_net:mantisbt:1.2.17:*:*:*:*:*:*:*

External links

https://seclists.org/oss-sec/2014/q4/693
https://secunia.com/advisories/62101
https://www.debian.org/security/2015/dsa-3120
https://www.mantisbt.org/bugs/view.php?id=17742
https://www.openwall.com/lists/oss-security/2014/11/15/6
https://www.securityfocus.com/bid/71104
https://exchange.xforce.ibmcloud.com/vulnerabilities/98731
https://github.com/mantisbt/mantisbt/commit/5f0b150b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Cross-site scripting

EUVDB-ID: #VU41066

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-8986

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 when processing a crafted config option, a different vulnerability than CVE-2014-8987. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MantisBT: 1.2.13 - 1.2.17

CPE2.3

External links

https://secunia.com/advisories/62101
https://www.debian.org/security/2015/dsa-3120
https://www.openwall.com/lists/oss-security/2014/11/15/1
https://www.openwall.com/lists/oss-security/2014/11/15/2
https://www.openwall.com/lists/oss-security/2014/11/15/3
https://www.openwall.com/lists/oss-security/2014/11/19/20
https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Input validation error

EUVDB-ID: #VU41095

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/U:Green]

CVE-ID: CVE-2014-7146

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MantisBT: 1.2.17

CPE2.3

cpe:2.3:a:mantisbt_sourceforge_net:mantisbt:1.2.17:*:*:*:*:*:*:*

External links

https://seclists.org/oss-sec/2014/q4/576
https://secunia.com/advisories/62101
https://www.debian.org/security/2015/dsa-3120
https://www.mantisbt.org/bugs/view.php?id=17725
https://www.securityfocus.com/bid/70993
https://exchange.xforce.ibmcloud.com/vulnerabilities/98572
https://github.com/mantisbt/mantisbt/commit/84017535
https://github.com/mantisbt/mantisbt/commit/bed19db9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

Risk	Medium
Patch available	YES
Number of vulnerabilities	6
CVE-ID	CVE-2014-8987 CVE-2014-9279 CVE-2014-9270 CVE-2014-8988 CVE-2014-8986 CVE-2014-7146
CWE-ID	CWE-79 CWE-200 CWE-264 CWE-20
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #6 is available.
Vulnerable software	MantisBT Web applications / Other software
Vendor	mantisbt.sourceforge.net