CVE-2014-1608

Published: Mar 18, 2014Modified: May 6, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request.

Affected (21)

Products: Mantisbt: Mantisbt · Debian: Debian Linux

1 product

1 product

Configuration A

20 vulnerable

Vulnerable Software	Affected Versions
Mantisbt Mantisbt	Up to 1.2.15
Mantisbt Mantisbt	Version 1.2.0
Mantisbt Mantisbt	Version 1.2.0 alpha1
Mantisbt Mantisbt	Version 1.2.0 alpha2
Mantisbt Mantisbt	Version 1.2.0 alpha3
Mantisbt Mantisbt	Version 1.2.0 rc1
Mantisbt Mantisbt	Version 1.2.0 rc2
Mantisbt Mantisbt	Version 1.2.10
Mantisbt Mantisbt	Version 1.2.11
Mantisbt Mantisbt	Version 1.2.13
Mantisbt Mantisbt	Version 1.2.14
Mantisbt Mantisbt	Version 1.2.1
Mantisbt Mantisbt	Version 1.2.2
Mantisbt Mantisbt	Version 1.2.3
Mantisbt Mantisbt	Version 1.2.4
Mantisbt Mantisbt	Version 1.2.5
Mantisbt Mantisbt	Version 1.2.6
Mantisbt Mantisbt	Version 1.2.7
Mantisbt Mantisbt	Version 1.2.8
Mantisbt Mantisbt	Version 1.2.9

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0

Related CWEs

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (16)

http://osvdb.org/103118

Source: cve@mitre.org

http://secunia.com/advisories/61432

Source: cve@mitre.org

http://www.debian.org/security/2014/dsa-3030

Source: cve@mitre.org

http://www.mantisbt.org/bugs/view.php?id=16879

Source: cve@mitre.org

http://www.ocert.org/advisories/ocert-2014-001.html

Source: cve@mitre.org

US Government Resource

http://www.securityfocus.com/bid/65445

Source: cve@mitre.org

https://bugzilla.redhat.com/show_bug.cgi?id=1063111

Source: cve@mitre.org

https://github.com/mantisbt/mantisbt/commit/00b4c17088fa56594d85fe46b6c6057bb3421102

Source: cve@mitre.org

ExploitPatch

http://osvdb.org/103118

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/61432

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2014/dsa-3030

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mantisbt.org/bugs/view.php?id=16879

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ocert.org/advisories/ocert-2014-001.html

Source: af854a3a-2127-422b-91ae-364da2661108

US Government Resource

http://www.securityfocus.com/bid/65445

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=1063111

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/mantisbt/mantisbt/commit/00b4c17088fa56594d85fe46b6c6057bb3421102

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatch

Timeline

No history available yet.