Lucene search

[email protected]CVE-2014-6316

HistoryDec 12, 2014 - 11:59 a.m.

CVE-2014-6316

2014-12-1211:59:03

[email protected]

web.nvd.nist.gov

cve-2014-6316

mantisbt

web security

open redirect

phishing

vulnerability

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

5.3 Medium

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

81.8%

JSON

core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.

Affected configurations

NVD

Node

mantisbtmantisbtRange≤1.2.17

CPENameOperatorVersion
mantisbt:mantisbtmantisbtle1.2.17

CPE	Name	Operator	Version
mantisbt:mantisbt	mantisbt	le	1.2.17

References

seclists.org/oss-sec/2014/q4/931

secunia.com/advisories/62101

www.debian.org/security/2015/dsa-3120

www.openwall.com/lists/oss-security/2014/12/03/11

www.securityfocus.com/bid/71478

exchange.xforce.ibmcloud.com/vulnerabilities/99128

github.com/mantisbt/mantisbt/commit/e66ecc9f

www.mantisbt.org/bugs/view.php?id=17648

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

5.3 Medium

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

81.8%

JSON

Related for CVE-2014-6316

prion2 ubuntucve2 cvelist2 nvd2 cve1 packetstorm1 nessus6 archlinux2 openvas6 fedora3 debian1 securityvulns2 osv1