Arch Linux Security Advisory ASA-201502-3 ========================================= Severity: High Date : 2015-02-06 CVE-ID : CVE-2014-9571 CVE-2014-9572 CVE-2014-9573 CVE-2014-9624 CVE-2015-1042 Package : mantisbt Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package mantisbt before version 1.2.19-1 is vulnerable to multiple issues including cross-side scripting, database credential disclosure, sql injection, captcha bypass and url redirection. Resolution ========== Upgrade to 1.2.19-1. # pacman -Syu "mantisbt>=1.2.19-1" The problems have been fixed upstream in version 1.2.19. Workaround ========== None. Description =========== - CVE-2014-9571 (cross-side scripting) Cross-site scripting (XSS) vulnerability in admin/install.php allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. - CVE-2014-9572 (information disclosure) It was discovered that mantisbt does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. - CVE-2014-9573 (sql injection) SQL injection vulnerability in manage_user_page.php allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. - CVE-2014-9624 (captcha bypass) An attacker can get an unlimited amount of CAPTCHA "samples" with different perturbations for the same challenge, which makes the whole captcha utterly useless and very easy to bypass. - CVE-2015-1042 (url redirection) A bug in the URL sanitization routine allows an attacker to craft an URL that can redirect outside of the MantisBT instance's domain. This is related to CVE-2014-6316 [1], and the same API function is affected by the same vulnerability, but the root cause is different. Impact ====== A remote attacker is able to perform cross-side scripting, obtain database credentials, execute arbitrary SQL commands when having administrator privileges, bypass captchas or craft an URL that redirects to any domain. References ========== https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.19 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9571 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9572 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9573 https://access.redhat.com/security/cve/CVE-2014-9624 https://access.redhat.com/security/cve/CVE-2015-1042