Date: Fri, 28 Feb 2014 18:34:44 +0100 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: CVE request: MantisBT 1.2.13 SQL injection vulnerability Greetings Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) discovered an SQL injection vulnerability issue affecting MantisBT >= 1.2.13. admin_config_report.php relied on unsanitized, inlined query parameters, enabling a malicious user to perform an SQL injection attack. The criticality of this issue is compounded by the fact that typically a high-privilege account (i.e. having an access level >= $g_view_configuration_threshold, which is set to ADMINISTRATOR by default) is required to access this page. Patches are attached to . Can you please assign a CVE ID to this issue ? Thank you D. Regad MantisBT Developer http://mantisbt.org/  http://www.mantisbt.org/bugs/view.php?id=17055
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ