Damien Regad

65 exploits Active since Jun 2012
CVE-2020-25830 WRITEUP MEDIUM WRITEUP
MantisBT < 2.24.3 - Cross-Site Scripting via Custom Field Name
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVSS 4.8
CVE-2020-8981 WRITEUP MEDIUM WRITEUP
MantisBT Source Integration < 1.6.2 and 2.x < 2.3.1 - Stored Cross-Site Scripting via Repository Name
A cross-site scripting (XSS) vulnerability was discovered in the Source Integration plugin before 1.6.2 and 2.x before 2.3.1 for MantisBT. The repo_delete.php Delete Repository page allows execution of arbitrary code via a repo name (if CSP settings permit it). This is related to CVE-2018-16362.
CVSS 6.1
CVE-2021-3850 WRITEUP CRITICAL WRITEUP
adodb < 5.20.21 - Authentication Bypass
Authentication Bypass by Primary Weakness in GitHub repository adodb/adodb prior to 5.20.21.
CVSS 9.1
CVE-2021-43257 WRITEUP HIGH WRITEUP
MantisBT < 2.25.3 - CSV Injection via CSV Export API
Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.
CVSS 7.8
CVE-2023-44394 WRITEUP MEDIUM WRITEUP
MantisBT < 2.25.8 - Unauthorized Private Project Name Exposure via Wiki Page ID Enumeration
MantisBT is an open source bug tracker. Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs. This issue has been addressed in commit `65c44883f` which has been included in release `2.25.8`. Users are advised to upgrade. Users unable to upgrade should disable wiki integration ( `$g_wiki_enable = OFF;`).
CVSS 4.3
CVE-2024-23830 WRITEUP HIGH WRITEUP
MantisBT < 2.26.1 - Unauthenticated Account Hijacking via Password Reset Link Poisoning
MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user's email address and username can hijack the user's account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`.
CVSS 8.3
CVE-2024-34077 WRITEUP HIGH WRITEUP
MantisBT < 2.26.2 - Unauthenticated Account Takeover via Password Reset Token Reuse
MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending. The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password. A brute-force attack calling account_update.php with increasing user IDs is possible. A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to. Version 2.26.2 contains a patch for the issue. As a workaround, one may mitigate the risk by reducing the verification token's validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in `constants_inc.php`).
CVSS 7.3
CVE-2024-34081 WRITEUP MEDIUM WRITEUP
MantisBT < 2.26.2 - Stored Cross-Site Scripting via Custom Field Name
MantisBT (Mantis Bug Tracker) is an open source issue tracker. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when resolving or closing issues (`bug_change_status_page.php`) belonging to a project linking said custom field, viewing issues (`view_all_bug_page.php`) when the custom field is displayed as a column, or printing issues (`print_all_bug_page.php`) when the custom field is displayed as a column. Version 2.26.2 contains a patch for the issue. As a workaround, ensure Custom Field Names do not contain HTML tags.
CVSS 6.6
CVE-2024-45792 WRITEUP MEDIUM WRITEUP
MantisBT < 2.26.4 - Authenticated Exposure of Sensitive Information via Crafted POST Request
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Using a crafted POST request, an unprivileged, registered user is able to retrieve information about other users' personal system profiles. This vulnerability is fixed in 2.26.4.
CVSS 6.5
CVE-2025-46337 WRITEUP CRITICAL WRITEUP
ADOdb < 5.22.9 - SQL Injection via pg_insert_id()
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9.
CVSS 10.0
CVE-2025-46556 WRITEUP MEDIUM WRITEUP
MantisBT < 2.27.2 - Denial of Service via Oversized Issue Note Submission
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters) due to a lack of server-side validation of note length. Once such a note is added, the activity stream UI fails to render; therefore, new notes cannot be displayed, effectively breaking all future collaboration on the issue. This issue is fixed in version 2.27.2.
CVSS 6.5
CVE-2025-47776 WRITEUP CRITICAL WRITEUP
MantisBT < 2.27.2 - Authentication Bypass via MD5 Hash Type Juggling
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Due to incorrect use of loose (==) instead of strict (===) comparison in the authentication code in versions 2.27.1 and below.PHP type juggling will cause certain MD5 hashes matching scientific notation to be interpreted as numbers. Instances using the MD5 login method allow an attacker who knows the victim's username and has access to an account with a password hash that evaluates to zero to log in without knowing the victim's actual password, by using any other password with a hash that also evaluates to zero This issue is fixed in version 2.27.2.
CVSS 9.1
CVE-2025-54119 WRITEUP CRITICAL WRITEUP
ADOdb < 5.22.10 - SQL Injection via metaColumns(), metaForeignKeys() or metaIndexes() Table Parameter
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
CVSS 10.0
CVE-2025-55155 WRITEUP MEDIUM WRITEUP
MantisBT < 2.27.2 - Information Disclosure via Unvalidated Email Address Change
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person's email address could lead to information disclosure. This issue is fixed in version 2.27.2.
CVSS 5.4
CVE-2025-62520 WRITEUP MEDIUM WRITEUP
MantisBT < 2.27.2 - Improper Authorization via Copy From Action
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level checks, any non-admin user with access to manage_config_columns_page.php can use the Copy From action to retrieve the columns configuration from a private project they have no access to. This issue is fixed in version 2.27.2.
CVSS 4.3