MantisBT 2.10.0 allows local users to conduct SQL Injection attacks via the vendor/adodb/adodb-php/server.php sql parameter in a request to the 127.0.0.1 IP address. NOTE: the vendor disputes the significance of this report because server.php is intended to execute arbitrary SQL statements on behalf of authenticated users from 127.0.0.1, and the issue does not have an authentication bypass
References
Link | Resource |
---|---|
http://archive.is/https:/mantisbt.org/bugs/view.php?id=23908 | Vendor Advisory |
https://mantisbt.org/bugs/view.php?id=23908 | Issue Tracking Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-01-30T06:00:00
Updated: 2018-04-07T16:57:01
Reserved: 2018-01-29T00:00:00
Link: CVE-2018-6382
JSON object: View
NVD Information
Status : Modified
Published: 2018-01-30T06:29:00.320
Modified: 2024-05-17T01:29:11.573
Link: CVE-2018-6382
JSON object: View
Redhat Information
No data.
CWE