|
Description
|
|
A weakness and multiple vulnerabilities have been reported in MantisBT, which can be exploited by malicious users to conduct script insertion and SQL injection attacks, bypass certain security restrictions, and compromise a vulnerable system and by malicious people to conduct spoofing, cross-site scripting, and SQL injection attacks and bypass certain security restrictions.
1) The application does not properly restrict access to the XML Plugin functionality, which can be exploited to gain access to otherwise restricted functionality and subsequently e.g. manipulate otherwise restricted database information.
2) Certain input passed to plugins/XmlImportExport/ImportXml.php is not properly sanitised before being used in a call to the "preg_replace()" function with the "e" modifier and can be exploited to inject and execute arbitrary PHP code.
Note: This vulnerability can be exploited in conjunction with vulnerability #1.
3) The application does not properly restrict access to the download attachments functionality, which can be exploited to download otherwise restricted files.
4) Certain input passed to adm_config_report.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
5) Input passed via the "sort" and "dir" parameters to view_all_set.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
6) Certain input is not properly sanitised within the "string_insert_hrefs()" function (core/string_api.php) before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.
7) Certain input is not properly sanitised in the "projax_array_serialize_for_autocomplete()" function (core/projax_api.php) before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.
8) Certain input related to inline display of flash is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.
9) Certain input related to invalid config ID handling within adm_config_report.php is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.
10) Certain input passed related to core/helper_api.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation of this vulnerability requires that the "Extended project browser" option is enabled.
11) Input passed via the "filter" parameter to view_filters_page.php is not properly verified before being used in a call to the "unserialize()" function. This can be exploited to perform certain otherwise restricted actions via specially crafted serialized objects.
12) Input passed via the "project_id" parameter to a SOAP request is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
13) An error when handling emails on relations can be exploited to disclose certain otherwise restricted information of a related issue.
14) An error when handling history can be exploited to disclose otherwise restricted attachments.
15) The application does not properly restrict access to certain SOAP API utility functions, which can be exploited to disclose otherwise restricted information.
16) An error when handling LDAP binds can be exploited to perform an otherwise restricted unauthenticated bind and subsequently gain otherwise restricted access.
17) Input passed via the "return" GET parameter to "login_page.php" is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
18) An error when handling bug reporting can be exploited to set an otherwise restricted handler.
The weakness and the vulnerabilities are reported in 1.2.17. Other versions may also be affected.
|
