CVE-2014-9759

Published: Apr 11, 2016Modified: May 6, 2026

5.3

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Incomplete blacklist vulnerability in the config_is_private function in config_api.php in MantisBT 1.3.x before 1.3.0 allows remote attackers to obtain sensitive master salt configuration information via a SOAP API request.

Affected (1)

Products: Mantisbt: Mantisbt

Mantisbt

1 product

Mantisbt

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mantisbt Mantisbt	Version 1.3.0 rc1

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (10)

http://sourceforge.net/p/mantisbt/mailman/message/32948048/

Source: cve@mitre.org

Patch

http://www.openwall.com/lists/oss-security/2016/01/02/1

Source: cve@mitre.org

http://www.openwall.com/lists/oss-security/2016/01/03/2

Source: cve@mitre.org

http://www.securitytracker.com/id/1035518

Source: cve@mitre.org

https://mantisbt.org/bugs/view.php?id=20277

Source: cve@mitre.org

Patch

http://sourceforge.net/p/mantisbt/mailman/message/32948048/