It was reported [1],[2] that MantisBT suffers from an SQL injection vulnerability. admin_config_report.php relied on unsanitized, inlined query parameters, enabling a malicious user to perform an SQL injection attack. An administrative account is required to access this page, however. This has been corrected in git [3]; it was introduced in version 1.2.13, so versions prior to that are unaffected; only 1.2.13 up to and including 1.2.16 are affected. [1] http://www.mantisbt.org/bugs/view.php?id=17055 [2] http://seclists.org/oss-sec/2014/q1/456 [3] https://github.com/mantisbt/mantisbt/commit/a608f2d00a6eb0641605358cb683c176e671dc04
Created mantis tracking bugs for this issue: Affects: fedora-all [bug 1071460]
mantis-1.2.17-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.2.17-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.