Vulnerability Description
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mantisbt | Mantisbt | <= 1.2.17 |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/62101
- http://www.debian.org/security/2015/dsa-3120
- http://www.mantisbt.org/bugs/view.php?id=17780Vendor Advisory
- http://www.openwall.com/lists/oss-security/2014/11/07/28
- http://www.securityfocus.com/bid/70996
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98573
- https://github.com/mantisbt/mantisbt/commit/80a15487Vendor Advisory
- http://secunia.com/advisories/62101
- http://www.debian.org/security/2015/dsa-3120
- http://www.mantisbt.org/bugs/view.php?id=17780Vendor Advisory
- http://www.openwall.com/lists/oss-security/2014/11/07/28
- http://www.securityfocus.com/bid/70996
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98573
- https://github.com/mantisbt/mantisbt/commit/80a15487Vendor Advisory
FAQ
What is CVE-2014-8598?
CVE-2014-8598 is a vulnerability with a CVSS score of 6.4 (MEDIUM). The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the...
How severe is CVE-2014-8598?
CVE-2014-8598 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-8598?
Check the references section above for vendor advisories and patch information. Affected products include: Mantisbt Mantisbt.