CVE-2014-2238
MEDIUM severity · CVSS 6.5 · SQL injection
6.5CVSS MEDIUM
Summary
SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)11%
AV:N/AC:L/Au:S/C:P/I:P/A:P
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: http://seclists.org/oss-sec/2014/q1/490 ↗
Additional information
- NVD record
- http://seclists.org/oss-sec/2014/q1/490Patch
- http://mantisbt.domainunion.de/bugs/view.php?id=17055Advisory
- http://www.mantisbt.org/blog/?p=288Advisory
- http://seclists.org/oss-sec/2014/q1/456
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91563
- http://www.securityfocus.com/bid/65903Exploit