CVE-2014-7146 was assigned to the following issue: "" When importing data with the plugin, user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed. "" CVE-2014-8598 was assigned to the following issues: "" The XML Import/Export "official" plugin (i.e. bundled with MantisBT releases) currently does not perform any access level checks in the import and export pages. This leads to the following vulnerabilities: 1) import Any user of a MantisBT instance with the XML plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level. This vulnerability is particularly dangerous when used in combination with the one described in issue #17725 [1] (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks. 2) export There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). "" These issues affect versions 1.2.0a3 up to and including 1.2.17. They will be fixed in a future 1.2.18 release. Upstream fixes: https://github.com/mantisbt/mantisbt/commit/bed19db9 https://github.com/mantisbt/mantisbt/commit/80a15487 References: http://seclists.org/oss-sec/2014/q4/576 http://seclists.org/oss-sec/2014/q4/577
Created mantis tracking bugs for this issue: Affects: fedora-all [bug 1162047] Affects: epel-5 [bug 1162048]
mantis-1.2.17-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.2.17-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.2.17-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.