| Vulnerability Name: | CVE-2014-8598 (CCN-98573) | ||||||||||||
| Assigned: | 2014-11-08 | ||||||||||||
| Published: | 2014-11-08 | ||||||||||||
| Updated: | 2017-09-08 | ||||||||||||
| Summary: | The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. Note: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code. | ||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||||||
| CVSS v2 Severity: | 6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N) 4.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||||||
| Vulnerability Type: | CWE-19 | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2014-8598 Source: SECUNIA Type: UNKNOWN 62101 Source: DEBIAN Type: UNKNOWN DSA-3120 Source: CONFIRM Type: Vendor Advisory http://www.mantisbt.org/bugs/view.php?id=17780 Source: MLIST Type: UNKNOWN [oss-security] 20141108 CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access Source: BID Type: UNKNOWN 70996 Source: CCN Type: BID-70996 MantisBT XmlImportExport Plugin CVE-2014-8598 Multiple Security Bypass Vulnerabilities Source: XF Type: UNKNOWN mantisbt-cve20148598-sec-bypass(98573) Source: XF Type: UNKNOWN mantisbt-cve20148598-sec-bypass(98573) Source: CONFIRM Type: Vendor Advisory https://github.com/mantisbt/mantisbt/commit/80a15487 Source: CCN Type: MantisBT Web site MantisBT Source: CCN Type: WhiteSource Vulnerability Database CVE-2014-8598 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| Oval Definitions | |||||||||||||
| |||||||||||||
| BACK | |||||||||||||