Detections
Analytics
MantisBT 1.2.12 - 1.2.14 Multiple Vulnerabilities
medium Nessus Plugin ID 66392
Language:
Synopsis
The remote web server contains a PHP application that is affected by multiple vulnerabilities.Description
According to its version number, the MantisBT install hosted on the remote web server is affected by multiple vulnerabilities:- A flaw exists in the 'filter_api.php' script when conducting a search query on the View Issues page.
Combining filter criteria could lead to a denial of service. (CVE-2013-1883)
- A flaw exists that is due to the close button being displayed even when disallowed. This may allow a remote attacker to change the ticket status without sufficient privileges. (CVE-2013-1930)
- A cross-site scripting vulnerability exists in the 'manage_proj_ver_delete.php' because the 'version' parameter does not properly sanitize input. This flaw reportedly affects Mantis 1.2.14.
(CVE-2013-1931)
Solution
Upgrade to version 1.2.15 or later.See Also
https://mantisbt.org/blog/archives/mantisbt/249
https://mantisbt.org/bugs/view.php?id=15453
Plugin Details
Severity: Medium
ID: 66392
File Name: mantis_1_2_15.nasl
Version: 1.13
Type: remote
Family: CGI abuses
Published: 5/13/2013
Updated: 4/11/2022
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.2
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2013-1931
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Temporal Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:mantisbt:mantisbt
Required KB Items: Settings/ParanoidReport, installed_sw/MantisBT
Exploit Ease: No known exploits are available
Patch Publication Date: 4/14/2013
Vulnerability Publication Date: 1/31/2013