CVE-2014-8554

SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1609.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
mantisbtmantisbt
𝑥
≤ 1.2.17
mantisbtmantisbt
0.18.0
mantisbtmantisbt
0.19.0
mantisbtmantisbt
0.19.0:a1
mantisbtmantisbt
0.19.0:a2
mantisbtmantisbt
0.19.0:rc1
mantisbtmantisbt
0.19.0a1:a1
mantisbtmantisbt
0.19.0a2:a2
mantisbtmantisbt
0.19.1
mantisbtmantisbt
0.19.2
mantisbtmantisbt
0.19.3
mantisbtmantisbt
0.19.4
mantisbtmantisbt
0.19.5
mantisbtmantisbt
1.0.0
mantisbtmantisbt
1.0.0:a1
mantisbtmantisbt
1.0.0:a2
mantisbtmantisbt
1.0.0:a3
mantisbtmantisbt
1.0.0:rc1
mantisbtmantisbt
1.0.0:rc2
mantisbtmantisbt
1.0.0:rc3
mantisbtmantisbt
1.0.0:rc4
mantisbtmantisbt
1.0.0:rc5
mantisbtmantisbt
1.0.0a1:a1
mantisbtmantisbt
1.0.0a2:a2
mantisbtmantisbt
1.0.0a3:a3
mantisbtmantisbt
1.0.1
mantisbtmantisbt
1.0.2
mantisbtmantisbt
1.0.3
mantisbtmantisbt
1.0.4
mantisbtmantisbt
1.0.5
mantisbtmantisbt
1.0.6
mantisbtmantisbt
1.0.7
mantisbtmantisbt
1.0.8
mantisbtmantisbt
1.0.9
mantisbtmantisbt
1.1.0
mantisbtmantisbt
1.1.0:a1
mantisbtmantisbt
1.1.0:a2
mantisbtmantisbt
1.1.0:a3
mantisbtmantisbt
1.1.0:a4
mantisbtmantisbt
1.1.0:rc1
mantisbtmantisbt
1.1.0:rc2
mantisbtmantisbt
1.1.0:rc3
mantisbtmantisbt
1.1.1
mantisbtmantisbt
1.1.2
mantisbtmantisbt
1.1.3
mantisbtmantisbt
1.1.4
mantisbtmantisbt
1.1.5
mantisbtmantisbt
1.1.6
mantisbtmantisbt
1.1.7
mantisbtmantisbt
1.1.8
mantisbtmantisbt
1.1.9
mantisbtmantisbt
1.2.0
mantisbtmantisbt
1.2.0:alpha1
mantisbtmantisbt
1.2.0:alpha2
mantisbtmantisbt
1.2.0:alpha3
mantisbtmantisbt
1.2.0:rc1
mantisbtmantisbt
1.2.0:rc2
mantisbtmantisbt
1.2.0a1:a1
mantisbtmantisbt
1.2.0a2:a2
mantisbtmantisbt
1.2.1
mantisbtmantisbt
1.2.2
mantisbtmantisbt
1.2.3
mantisbtmantisbt
1.2.4
mantisbtmantisbt
1.2.5
mantisbtmantisbt
1.2.6
mantisbtmantisbt
1.2.7
mantisbtmantisbt
1.2.8
mantisbtmantisbt
1.2.9
mantisbtmantisbt
1.2.10
mantisbtmantisbt
1.2.11
mantisbtmantisbt
1.2.12
mantisbtmantisbt
1.2.13
mantisbtmantisbt
1.2.14
mantisbtmantisbt
1.2.15
mantisbtmantisbt
1.2.16
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mantis
zesty
dne
yakkety
dne
xenial
dne
wily
dne
vivid
dne
utopic
dne
trusty
dne
precise
ignored
lucid
ignored
Common Weakness Enumeration
References
http://seclists.org/oss-sec/2014/q4/479
http://seclists.org/oss-sec/2014/q4/487
http://secunia.com/advisories/62101
http://www.debian.org/security/2015/dsa-3120
http://www.mantisbt.org/bugs/view.php?id=16880
http://www.mantisbt.org/bugs/view.php?id=17812
http://www.securityfocus.com/bid/70856
https://exchange.xforce.ibmcloud.com/vulnerabilities/98457
http://seclists.org/oss-sec/2014/q4/479
http://seclists.org/oss-sec/2014/q4/487
http://secunia.com/advisories/62101
http://www.debian.org/security/2015/dsa-3120
http://www.mantisbt.org/bugs/view.php?id=16880
http://www.mantisbt.org/bugs/view.php?id=17812
http://www.securityfocus.com/bid/70856
https://exchange.xforce.ibmcloud.com/vulnerabilities/98457