oss-sec mailing list archives
Re: CVE request: MantisBT 1.2.13 SQL injection vulnerability
From: Damien Regad <dregad () mantisbt org>
Date: Mon, 03 Mar 2014 09:36:04 +0100
On 28.02.2014 21:05, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1http://www.mantisbt.org/bugs/view.php?id=17055admin_config_report.php relied on unsanitized, inlined query parameters, enabling a malicious user to perform an SQL injection attack.Use CVE-2014-2238.
Thank you. FYI, the reporter confirmed that the patch indeed resolves the issue. On 1 March 2014 09:46, Jakub Galczyk wrote: > > 2014-02-28 18:52 GMT+01:00 Damien Regad wrote: > >> You may have gone for the weekend and not seen my last message >> asking you to test the patch, so I went ahead and committed it. Let >> me know if the issue persists, I'll research further and make an >> additional fix as required. >> >> We'll probably release 1.2.17 next week, please try and confirm that >> the vulnerability is indeed gone on Monday if you can. > > Hi Damien, > > it works. Thank you once again! > > Best regards, > Jakub --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
Current thread:
- CVE request: MantisBT 1.2.13 SQL injection vulnerability Damien Regad (Feb 28)
- Re: CVE request: MantisBT 1.2.13 SQL injection vulnerability cve-assign (Feb 28)
- Re: CVE request: MantisBT 1.2.13 SQL injection vulnerability Damien Regad (Mar 03)
- Re: CVE request: MantisBT 1.2.13 SQL injection vulnerability Damien Regad (Mar 04)
- Re: CVE request: MantisBT 1.2.13 SQL injection vulnerability cve-assign (Feb 28)