Summary: | www-apps/mantisbt <1.1.2 Multiple vulnerabilities (CVE-2008-{3331,3332,3333}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | pva |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mantisbt.org/bugs/changelog_page.php | ||
Whiteboard: | C1/B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 222649 |
Description
Robert Buchholz (RETIRED)
2008-07-30 00:41:02 UTC
CVE-2008-3332 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3332): Eval injection vulnerability in adm_config_set.php in Mantis before 1.1.2 allows remote authenticated administrators to execute arbitrary code via the value parameter. CVE-2008-3333 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3333): Directory traversal vulnerability in core/lang_api.php in Mantis before 1.1.2 allows remote attackers to read and include arbitrary files via the language parameter to the user preferences page (account_prefs_update.php). 1.1.2 seems to be in the tree so I'm removing webapps from cc. Please readd if webapps should still take an interest in the bug. Arches, please test and mark stable www-apps/mantisbt-1.1.2. Target Keywords: "amd64 ppc x86" amd64/x86 stable ppc stable glsa request filed. GLSA 200809-10 |