Vulnerability Name: CVE-2014-9271 (CCN-99040) Assigned: 2014-12-01 Published: 2014-12-01 Updated: 2021-03-04 Summary: Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. CVSS v3 Severity: 5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-79 Vulnerability Consequences: Cross-Site Scripting References: Source: MITRECVE-2014-9271 CVE Request: DB credentials disclosure in MantisBT's unattended upgrade script [oss-security] 20141201 CVE Request: Multiple XSS vulnerabilities in MantisBT [oss-security] 20141204 Re: CVE Request: Multiple XSS vulnerabilities in MantisBT [oss-security] 20141205 Re: CVE Request: Multiple XSS vulnerabilities in MantisBT 62101 DSA-3120 MantisBT 'file_download.php' HTML Injection Vulnerability MantisBT 'file_download.php' HTML Injection Vulnerability mantisbt-filedownload-xss(99040) https://github.com/mantisbt/mantisbt/commit/9fb8cf36f MantisBT https://www.mantisbt.org/bugs/view.php?id=17874 Vulnerable Configuration: Configuration 1 :cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:* Configuration 2 :cpe:/a:mantisbt:mantisbt:1.1.0:a1:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.0:a2:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.0:a3:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.0:a4:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.0:rc1:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.0:rc2:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.0:rc3:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.1:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.2:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.3:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.4:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.5:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.6:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.7:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.8:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.1.9:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.0:-:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.0:alpha1:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.0:alpha2:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.0:alpha3:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.0:rc1:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.0:rc2:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.1:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.2:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.3:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.4:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.5:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.6:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.7:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.8:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.9:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.10:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.11:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.12:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.13:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.14:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.15:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.16:*:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.17:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:mantisbt:mantisbt:1.1.0:a3:*:*:*:*:*:* OR cpe:/a:mantisbt:mantisbt:1.2.17:*:*:*:*:*:*:* Oval Definitions BACK
debian debian linux 7.0
mantisbt mantisbt 1.1.0 a1
mantisbt mantisbt 1.1.0 a2
mantisbt mantisbt 1.1.0 a3
mantisbt mantisbt 1.1.0 a4
mantisbt mantisbt 1.1.0 rc1
mantisbt mantisbt 1.1.0 rc2
mantisbt mantisbt 1.1.0 rc3
mantisbt mantisbt 1.1.1
mantisbt mantisbt 1.1.2
mantisbt mantisbt 1.1.3
mantisbt mantisbt 1.1.4
mantisbt mantisbt 1.1.5
mantisbt mantisbt 1.1.6
mantisbt mantisbt 1.1.7
mantisbt mantisbt 1.1.8
mantisbt mantisbt 1.1.9
mantisbt mantisbt 1.2.0
mantisbt mantisbt 1.2.0 alpha1
mantisbt mantisbt 1.2.0 alpha2
mantisbt mantisbt 1.2.0 alpha3
mantisbt mantisbt 1.2.0 rc1
mantisbt mantisbt 1.2.0 rc2
mantisbt mantisbt 1.2.1
mantisbt mantisbt 1.2.2
mantisbt mantisbt 1.2.3
mantisbt mantisbt 1.2.4
mantisbt mantisbt 1.2.5
mantisbt mantisbt 1.2.6
mantisbt mantisbt 1.2.7
mantisbt mantisbt 1.2.8
mantisbt mantisbt 1.2.9
mantisbt mantisbt 1.2.10
mantisbt mantisbt 1.2.11
mantisbt mantisbt 1.2.12
mantisbt mantisbt 1.2.13
mantisbt mantisbt 1.2.14
mantisbt mantisbt 1.2.15
mantisbt mantisbt 1.2.16
mantisbt mantisbt 1.2.17
mantisbt mantisbt 1.1.0 a3
mantisbt mantisbt 1.2.17
Denotes that component is vulnerable