mailing list archives
CVE request: MantisBT 1.2.13 SQL injection vulnerability
From: Damien Regad <dregad () mantisbt org>
Date: Fri, 28 Feb 2014 18:34:44 +0100
Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) discovered an
SQL injection vulnerability issue affecting MantisBT >= 1.2.13.
admin_config_report.php relied on unsanitized, inlined query parameters,
enabling a malicious user to perform an SQL injection attack.
The criticality of this issue is compounded by the fact that typically a
high-privilege account (i.e. having an access level >=
$g_view_configuration_threshold, which is set to ADMINISTRATOR by
default) is required to access this page.
Patches are attached to . Can you please assign a CVE ID to this issue ?
- CVE request: MantisBT 1.2.13 SQL injection vulnerability Damien Regad (Feb 28)