Sql injection

2014-03-2016:55:00

PRIOn knowledge base

www.prio-n.com

8.7 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

83.8%

JSON

Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (9) enum_bug_group function in plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php or (11) bug_graph_bystatus.php in plugins/MantisGraph/pages/; or (12) proj_doc_page.php, related to use of the db_query function, a different vulnerability than CVE-2014-1608.

CPENameOperatorVersion
debian_linuxeq7.0
mantisbteq1.2.13
mantisbteq1.2.2
mantisbteq1.2.0 rc1
mantisbteq1.2.5
mantisbteq1.2.10
mantisbteq1.2.9
mantisbtle1.2.15
mantisbteq1.2.0
mantisbteq1.2.8

Name	Operator	Version
debian_linux	eq	7.0
mantisbt	eq	1.2.13
mantisbt	eq	1.2.2
mantisbt	eq	1.2.0 rc1
mantisbt	eq	1.2.5
mantisbt	eq	1.2.10
mantisbt	eq	1.2.9
mantisbt	le	1.2.15
mantisbt	eq	1.2.0
mantisbt	eq	1.2.8