CVE-2014-6316
Published: 12 December 2014
core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.
Priority
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6316
- http://github.com/mantisbt/mantisbt/commit/e66ecc9f
- https://www.mantisbt.org/bugs/view.php?id=17648
- https://www.mantisbt.org/bugs/view.php?id=17362
- https://www.mantisbt.org/bugs/view.php?id=17698
- https://www.mantisbt.org/bugs/view.php?id=17811
- NVD
- Launchpad
- Debian