CVE-2014-9272

Published: Jan 9, 2015Modified: May 6, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol.

Affected (40)

Products: Debian: Debian Linux · Mantisbt: Mantisbt

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0

Configuration B

39 vulnerable

Vulnerable Software	Affected Versions
Mantisbt Mantisbt	Version 1.1.0 a1
Mantisbt Mantisbt	Version 1.1.0 a2
Mantisbt Mantisbt	Version 1.1.0 a3
Mantisbt Mantisbt	Version 1.1.0 a4
Mantisbt Mantisbt	Version 1.1.0 rc1
Mantisbt Mantisbt	Version 1.1.0 rc2
Mantisbt Mantisbt	Version 1.1.0 rc3
Mantisbt Mantisbt	Version 1.1.1
Mantisbt Mantisbt	Version 1.1.2
Mantisbt Mantisbt	Version 1.1.3
Mantisbt Mantisbt	Version 1.1.4
Mantisbt Mantisbt	Version 1.1.5
Mantisbt Mantisbt	Version 1.1.6
Mantisbt Mantisbt	Version 1.1.7
Mantisbt Mantisbt	Version 1.1.8
Mantisbt Mantisbt	Version 1.1.9
Mantisbt Mantisbt	Version 1.2.0
Mantisbt Mantisbt	Version 1.2.0 alpha1
Mantisbt Mantisbt	Version 1.2.0 alpha2
Mantisbt Mantisbt	Version 1.2.0 alpha3
Mantisbt Mantisbt	Version 1.2.0 rc1
Mantisbt Mantisbt	Version 1.2.0 rc2
Mantisbt Mantisbt	Version 1.2.10
Mantisbt Mantisbt	Version 1.2.11
Mantisbt Mantisbt	Version 1.2.12
Mantisbt Mantisbt	Version 1.2.13
Mantisbt Mantisbt	Version 1.2.14
Mantisbt Mantisbt	Version 1.2.15
Mantisbt Mantisbt	Version 1.2.16
Mantisbt Mantisbt	Version 1.2.17
Mantisbt Mantisbt	Version 1.2.1
Mantisbt Mantisbt	Version 1.2.2
Mantisbt Mantisbt	Version 1.2.3
Mantisbt Mantisbt	Version 1.2.4
Mantisbt Mantisbt	Version 1.2.5
Mantisbt Mantisbt	Version 1.2.6
Mantisbt Mantisbt	Version 1.2.7
Mantisbt Mantisbt	Version 1.2.8
Mantisbt Mantisbt	Version 1.2.9