Damien Regad

65 exploits Active since Jun 2012
CVE-2019-15715 WRITEUP HIGH WRITEUP
MantisBT < 1.3.20 - Authenticated Remote Code Execution via Command Injection
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
CVSS 7.2
CVE-2019-15715 WRITEUP HIGH WRITEUP
MantisBT < 1.3.20 - Authenticated Remote Code Execution via Command Injection
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
CVSS 7.2
CVE-2019-15715 WRITEUP HIGH WRITEUP
MantisBT < 1.3.20 - Authenticated Remote Code Execution via Command Injection
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
CVSS 7.2
CVE-2019-15715 WRITEUP HIGH WRITEUP
MantisBT < 1.3.20 - Authenticated Remote Code Execution via Command Injection
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
CVSS 7.2
CVE-2020-25781 WRITEUP MEDIUM WRITEUP
MantisBT < 2.24.3 - Missing Authorization for Private Attachment Download
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVSS 4.3
CVE-2025-46556 WRITEUP MEDIUM WRITEUP
MantisBT < 2.27.2 - Denial of Service via Oversized Issue Note Submission
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters) due to a lack of server-side validation of note length. Once such a note is added, the activity stream UI fails to render; therefore, new notes cannot be displayed, effectively breaking all future collaboration on the issue. This issue is fixed in version 2.27.2.
CVSS 6.5
CVE-2025-46556 WRITEUP MEDIUM WRITEUP
MantisBT < 2.27.2 - Denial of Service via Oversized Issue Note Submission
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters) due to a lack of server-side validation of note length. Once such a note is added, the activity stream UI fails to render; therefore, new notes cannot be displayed, effectively breaking all future collaboration on the issue. This issue is fixed in version 2.27.2.
CVSS 6.5
CVE-2026-33517 WRITEUP MEDIUM WRITEUP
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.
CVSS 6.1
CVE-2026-33517 WRITEUP MEDIUM WRITEUP
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.
CVSS 6.1
CVE-2026-33548 WRITEUP MEDIUM WRITEUP
MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html().
CVSS 6.1
CVE-2026-30849 WRITEUP CRITICAL WRITEUP
MantisBT < 2.28.1 - Authentication Bypass via SOAP API Password Parameter
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. Version 2.28.1 contains a patch. Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.
CVSS 9.8
CVE-2013-1883 WRITEUP WRITEUP
MantisBT 1.2.12-1.2.14 - Denial of Service via Filter Criteria Resource Consumption
Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type.
CVE-2015-5059 WRITEUP MEDIUM WRITEUP
MantisBT < 1.2.19 - Authenticated Unauthorized File Download via Project Documentation Feature
The "Project Documentation" feature in MantisBT 1.2.19 and earlier, when the threshold to access files ($g_view_proj_doc_threshold) is set to ANYBODY, allows remote authenticated users to download attachments linked to arbitrary private projects via a file id number in the file_id parameter to file_download.php.
CVSS 5.3
CVE-2016-7405 WRITEUP CRITICAL WRITEUP
ADOdb Library for PHP < 5.20.7 - SQL Injection via PDO Driver qstr Method
The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.
CVSS 9.8
CVE-2017-12061 WRITEUP MEDIUM WRITEUP
MantisBT < 1.3.12 and 2.x < 2.5.2 - Cross-Site Scripting via Installation Script Variables
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.
CVSS 6.1
CVE-2017-12062 WRITEUP MEDIUM WRITEUP
MantisBT 2.0.0-2.5.1 - Cross-Site Scripting in Manage User Page Filter Field
An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.
CVSS 6.1
CVE-2017-6797 WRITEUP MEDIUM WRITEUP
MantisBT < 1.3.7 and 2.x < 2.2.1 - Cross-Site Scripting via 'action_type' Parameter
A cross-site scripting (XSS) vulnerability in bug_change_status_page.php in MantisBT before 1.3.7 and 2.x before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'action_type' parameter.
CVSS 6.1
CVE-2017-6799 WRITEUP MEDIUM WRITEUP
MantisBT < 2.2.0 - Cross-Site Scripting via view_type Parameter
A cross-site scripting (XSS) vulnerability in view_filters_page.php in MantisBT before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'view_type' parameter.
CVSS 6.1
CVE-2017-7897 WRITEUP MEDIUM WRITEUP
MantisBT 2.3.0-2.3.1 - Cross-Site Scripting via PATH_INFO in Timeline Include Page
A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (my_view_page.php) and User Information (view_user_page.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATH_INFO in a URL, due to use of unsanitized $_SERVER['PHP_SELF'] to generate URLs.
CVSS 6.1
CVE-2018-13055 WRITEUP MEDIUM WRITEUP
MantisBT 2.1.0-2.15.0 - Cross-Site Scripting via View Filters Page PATH_INFO
A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) in MantisBT 2.1.0 through 2.15.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO.
CVSS 6.1
CVE-2018-6526 WRITEUP MEDIUM WRITEUP
MantisBT < 2.10.0 - Path Disclosure via Invalid Filter Parameter
view_all_bug_page.php in MantisBT 2.10.0-development before 2018-02-02 allows remote attackers to discover the full path via an invalid filter parameter, related to a filter_ensure_valid_filter call in current_user_api.php.
CVSS 5.3
CVE-2018-9839 WRITEUP MEDIUM WRITEUP
MantisBT < 1.3.14 and 2.0.0 - Authenticated Private Issue Data Exposure via Cloning
An issue was discovered in MantisBT through 1.3.14, and 2.0.0. Using a crafted request on bug_report_page.php (modifying the 'm_id' parameter), any user with REPORTER access or above is able to view any private issue's details (summary, description, steps to reproduce, additional information) when cloning it. By checking the 'Copy issue notes' and 'Copy attachments' checkboxes and completing the clone operation, this data also becomes public (except private notes).
CVSS 6.5
CVE-2019-15074 WRITEUP CRITICAL WRITEUP
MantisBT < 2.21.1 - Stored Cross-Site Scripting via Timeline Attachment Filename
The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed.
CVSS 9.6
CVE-2020-25288 WRITEUP MEDIUM WRITEUP
MantisBT < 2.24.3 - Cross-Site Scripting via Custom Field Regular Expression
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript.
CVSS 4.8
CVE-2020-25781 WRITEUP MEDIUM WRITEUP
MantisBT < 2.24.3 - Missing Authorization for Private Attachment Download
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVSS 4.3