GHSA-9X76-MP7R-2XC5 MantisBT vulnerable to CSRF and Open Redirect attacks

MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in stringapi.php and consequently has conflicting interpretations of an initial / substring as introducing either a local pathname or a remote hostname, which leads to 1 arbitrary Permalink Injection via CSRF...

CVE-2008-4688

Vulnerability summary (CVE-2008-4688) : Mantis before 1.1.3 does not verify viewer privileges when building a link that includes issue data in the source anchor, allowing remote attackers to discover an issue’s title and status by tampering the issue number. This is documented across multiple sou...