Lucene search
K

218 matches found

Github Security Blog
Github Security Blog
added 2026/05/11 7:40 p.m.12 views

MantisBT has Stored XSS on Move Attachments Admin Page

Unescaped Project Name allows an attacker that can set it which typically requires manager or administrator access level to inject HTML in Move Attachments admin page. Impact Cross-site scripting XSS. This is mitigated by Content Security Policy which restricts scripts execution. Patches -...

8.6CVSS5.8AI score0.00298EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/05/11 7:32 p.m.7 views

GHSA-FVJF-68WH-RWP2 MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form

When cloning an issue originating from a Project other than the current one, the clone form bugreportpage.php prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name which typically...

8.6CVSS5.8AI score0.00444EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/11 7:32 p.m.9 views

MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form

When cloning an issue originating from a Project other than the current one, the clone form bugreportpage.php prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name which typically...

8.6CVSS5.8AI score0.00444EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/05/11 7:32 p.m.9 views

Cross-site Scripting (XSS)

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the bugreportpage.php process when cloning an issue from a different project, due to improper escaping of the source project name. An attacker with sufficient...

8.6CVSS5.6AI score0.00444EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.10 views

PT-2026-39899

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker MantisBT versions 1.3.0 through 2.28.1 Description An issue exists where an unescaped Project Name allows an attacker with manager or administrator access levels to inject HTML into the Move Attachments admin page. This lead...

8.6CVSS5.9AI score0.00298EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.8 views

PT-2026-39875

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker MantisBT versions prior to 2.28.2 Description A Stored Cross-Site Scripting XSS issue exists when cloning an issue from a project other than the current one. The clone form 'bug report page.php' prepends the source project...

8.6CVSS5.9AI score0.00444EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/05 9:30 p.m.4 views

EUVD-2019-20054

ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Attackers can paste 180 or more characters into the Project name field during project creation to trigger an application...

6.9CVSS6.2AI score0.00146EPSS
Exploits0References4
NVD
NVD
added 2026/04/05 9:16 p.m.5 views

CVE-2019-25659

ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Attackers can paste 180 or more characters into the Project name field during project creation to trigger an application...

6.9CVSS0.00146EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/05 8:45 p.m.3 views

CVE-2019-25659

ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Attackers can paste 180 or more characters into the Project name field during project creation to trigger an application...

6.9CVSS6.2AI score0.00146EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/04/05 8:45 p.m.21 views

CVE-2019-25659 ASPRunner Professional 6.0.766 Local Buffer Overflow DoS

ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Attackers can paste 180 or more characters into the Project name field during project creation to trigger an application...

6.9CVSS0.00146EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/05 8:45 p.m.3 views

CVE-2019-25659 ASPRunner Professional 6.0.766 Local Buffer Overflow DoS

ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Attackers can paste 180 or more characters into the Project name field during project creation to trigger an application...

6.9CVSS6.2AI score0.00146EPSS
Exploits0References3
CVE
CVE
added 2026/04/05 8:45 p.m.7 views

CVE-2019-25659

ASPRunner Professional 6.0.766 is affected by a local buffer overflow in the Project name field during project creation, which can trigger a denial of service via excessively long input (180+ characters). The CVE entry documents the crash as the impact; no remediation details are provided in the ...

6.9CVSS6.2AI score0.00146EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/05 12:0 a.m.9 views

Xlinesoft ASPRunner Professional 缓冲区错误漏洞

Xlinesoft ASPRunner Professional is a database-driven web application development tool provided by Xlinesoft Corporation in the United States. Version 6.0.766 of Xlinesoft ASPRunner Professional contains a buffer overflow vulnerability. This vulnerability stems from a local buffer overflow in the...

6.9CVSS6.1AI score0.00146EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/05 12:0 a.m.7 views

PT-2026-30468

ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Attackers can paste 180 or more characters into the Project name field during project creation to trigger an application...

6.9CVSS6.2AI score0.00146EPSS
Exploits0References4
OSV
OSV
added 2026/02/24 1:2 a.m.3 views

CVE-2026-3051 DataLinkDC dinky Project Name GitRepository.java getProjectDir path traversal

A vulnerability has been found in DataLinkDC dinky up to 1.2.5. The affected element is the function getProjectDir of the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java of the component Project Name Handler. Such manipulation of the argument projectName leads to path traversal...

5.3CVSS6AI score0.06507EPSS
Exploits1References7
CNNVD
CNNVD
added 2026/02/24 12:0 a.m.10 views

Dinky 路径遍历漏洞

Dinky is an open-source real-time computing platform developed by DataLinkDC. Versions of Dinky 1.2.5 and earlier contained a path traversal vulnerability. This vulnerability stemmed from incorrect handling of the parameter projectName in the getProjectDir function of the Project Name Handler...

7.6CVSS6.6AI score0.06507EPSS
Exploits1References5
NVD
NVD
added 2026/02/12 11:16 p.m.5 views

CVE-2019-25330

SurfOffline Professional 2.2.0.103 contains a structured exception handler SEH overflow vulnerability that allows attackers to crash the application by manipulating the project name input. Attackers can generate a malicious payload of 382 'A' characters followed by specific byte sequences to...

7.5CVSS0.00314EPSS
Exploits0References4
CVE
CVE
added 2026/02/12 10:48 p.m.15 views

CVE-2019-25330

CVE-2019-25330 affects SurfOffline Professional 2.2.0.103 via a structured exception handler (SEH) overflow in the project name input. An attacker can crash the application by supplying a crafted payload (e.g., 382 'A' characters followed by specific byte sequences), resulting in a denial of serv...

7.5CVSS5.6AI score0.00314EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/02/12 10:48 p.m.5 views

CVE-2019-25330

SurfOffline Professional 2.2.0.103 contains a structured exception handler SEH overflow vulnerability that allows attackers to crash the application by manipulating the project name input. Attackers can generate a malicious payload of 382 'A' characters followed by specific byte sequences to...

7.5CVSS5.6AI score0.00314EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/02/12 10:48 p.m.25 views

CVE-2019-25330 SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH)

SurfOffline Professional 2.2.0.103 contains a structured exception handler SEH overflow vulnerability that allows attackers to crash the application by manipulating the project name input. Attackers can generate a malicious payload of 382 'A' characters followed by specific byte sequences to...

7.5CVSS0.00314EPSS
Exploits0References4
Rows per page
Query Builder