Red Hat Bugzilla – Bug 1071459
CVE-2014-2238 mantis: SQL injection vulnerability
Last modified: 2016-01-22 11:32:16 EST
It was reported , that MantisBT suffers from an SQL injection vulnerability. admin_config_report.php relied on unsanitized, inlined query parameters, enabling a malicious user to perform an SQL injection attack. An administrative account is required to access this page, however.
This has been corrected in git ; it was introduced in version 1.2.13, so versions prior to that are unaffected; only 1.2.13 up to and including 1.2.16 are affected.
Created mantis tracking bugs for this issue:
Affects: fedora-all [bug 1071460]
mantis-1.2.17-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.2.17-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.