Test ID:	1.3.6.1.4.1.25623.1.0.105902
Category:	Web application abuses
Title:	MantisBT < 1.2.16 Multiple SQLi Vulnerabilities
Summary:	There are multiple SQL injection (SQLi) vulnerabilities in; MantisBT which allow a remote attacker to access or modify data.
Description:	Summary: There are multiple SQL injection (SQLi) vulnerabilities in MantisBT which allow a remote attacker to access or modify data. Vulnerability Insight: Use of db_query() instead of db_query_bound() allowed SQL injection attacks due to unsanitized use of parameters within the query when using the SOAP API mc_project_get_attachments, news_get_limited_rows, summary_print_by_enum, summary_print_by_age, summary_print_by_developer, summary_print_by_reporter, summary_print_by_category, create_bug_enum_summary, enum_bug_group function and mc_issue_attachment_get. Vulnerability Impact: A remote attacker can compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Affected Software/OS: MantisBT 1.2.15 and prior. Solution: Update to version 1.2.16 or later. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-1608 BugTraq ID: 65445 http://www.securityfocus.com/bid/65445 Debian Security Information: DSA-3030 (Google Search) http://www.debian.org/security/2014/dsa-3030 http://www.ocert.org/advisories/ocert-2014-001.html http://osvdb.org/103118 http://secunia.com/advisories/61432 Common Vulnerability Exposure (CVE) ID: CVE-2014-1609 BugTraq ID: 65461 http://www.securityfocus.com/bid/65461
Copyright	Copyright (C) 2014 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.