Main Vulnerability Database Exploits ID:3757 - Exploit for Input validation error in MantisBT - CVE-2014-7146

ID:3757 - Exploit for Input validation error in MantisBT - CVE-2014-7146

Published: August 9, 2020

Vulnerability identifier: #VU41095

Vulnerability risk: Medium

CVE-ID: CVE-2014-7146

CWE-ID: CWE-20

Exploitation vector: Remote access

Vulnerable software:
MantisBT

Link to public exploit:

https://www.rapid7.com/db/modules/exploit/multi/http/mantisbt_php_exec

Vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.

Remediation

Install update from vendor's website.

ID:3757 - Exploit for Input validation error in MantisBT - CVE-2014-7146

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human