CVE-2014-9279

Published: 8 December 2014

The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL.

Priority

Status

Package	Release	Status
mantis Launchpad, Ubuntu, Debian	lucid	Ignored (end of life)
	precise	Ignored (end of life)
	trusty	Does not exist
	upstream	Needs triage
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist

References

http://github.com/mantisbt/mantisbt/commit/0826cef8
http://www.mantisbt.org/bugs/view.php?id=17877
https://github.com/mantisbt/mantisbt/commit/0826cef8
http://xforce.iss.net/xforce/xfdb/99031
http://seclists.org/oss-sec/2014/q4/863
https://www.cve.org/CVERecord?id=CVE-2014-9279
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.