Lucene search

[email protected]CVE-2014-7146

HistoryNov 18, 2014 - 3:59 p.m.

CVE-2014-7146

2014-11-1815:59:00

CWE-20

[email protected]

web.nvd.nist.gov

cve-2014-7146

xmlimportexport

mantisbt

remote code execution

security vulnerability

nvd

5.8 Medium

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.352 Low

EPSS

Percentile

97.1%

JSON

The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.

CPENameOperatorVersion
mantisbt:mantisbtmantisbteq1.2.17

CPE	Name	Operator	Version
mantisbt:mantisbt	mantisbt	eq	1.2.17

References

seclists.org/oss-sec/2014/q4/576

secunia.com/advisories/62101

www.debian.org/security/2015/dsa-3120

www.mantisbt.org/bugs/view.php?id=17725

www.securityfocus.com/bid/70993

exchange.xforce.ibmcloud.com/vulnerabilities/98572

github.com/mantisbt/mantisbt/commit/84017535

github.com/mantisbt/mantisbt/commit/bed19db9

5.8 Medium

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.352 Low

EPSS

Percentile

97.1%

JSON

Related for CVE-2014-7146

zdt4 prion2 packetstorm2 securityvulns3 ubuntucve2 archlinux1 cve1 fedora9 openvas11 nessus6 debian1 osv1