Home page logo

oss-sec logo oss-sec mailing list archives

CVE request: MantisBT 1.2.13 SQL injection vulnerability
From: Damien Regad <dregad () mantisbt org>
Date: Fri, 28 Feb 2014 18:34:44 +0100


Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) discovered an SQL injection vulnerability issue affecting MantisBT >= 1.2.13.

admin_config_report.php relied on unsanitized, inlined query parameters, enabling a malicious user to perform an SQL injection attack.

The criticality of this issue is compounded by the fact that typically a high-privilege account (i.e. having an access level >= $g_view_configuration_threshold, which is set to ADMINISTRATOR by default) is required to access this page.

Patches are attached to [1]. Can you please assign a CVE ID to this issue ?

Thank you

D. Regad
MantisBT Developer

[1] http://www.mantisbt.org/bugs/view.php?id=17055

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]