CVE-2014-8598
MEDIUM severity · CVSS 6.4 · CWE-19
6.4CVSS MEDIUM
Summary
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impactNone
Exploit probability (EPSS)39%
AV:N/AC:L/Au:N/C:P/I:P/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://www.mantisbt.org/bugs/view.php?id=17780Advisory
- https://github.com/mantisbt/mantisbt/commit/80a15487Advisory
- http://secunia.com/advisories/62101
- http://www.debian.org/security/2015/dsa-3120
- http://www.openwall.com/lists/oss-security/2014/11/07/28
- http://www.securityfocus.com/bid/70996
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98573