CVE-2008-4687

Mantis < 1.1.4 - Authenticated Remote Code Execution via Sort Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2008-4687. PoCs published by Metasploit, EgiX, nmurilo, including Metasploit module exploits/multi/http/mantisbt_manage_proj_page_rce.

AI-analyzed exploit summary This Metasploit module exploits a post-authentication RCE vulnerability in MantisBT by injecting PHP code via the 'sort' parameter in manage_proj_page.php. It logs in, sends a malicious payload, and executes arbitrary PHP code.

Description

manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/44611

This Metasploit module exploits a post-authentication RCE vulnerability in MantisBT by injecting PHP code via the 'sort' parameter in manage_proj_page.php. It logs in, sends a malicious payload, and executes arbitrary PHP code.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MantisBT <= 1.1.3
Auth required
Prerequisites: Valid credentials for MantisBT · Access to the manage_proj_page.php endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by EgiX · textwebappsphp
https://www.exploit-db.com/exploits/6768

This exploit targets a PHP code injection vulnerability in Mantis Bug Tracker <= 1.1.3 via the 'sort' parameter in manage_proj_page.php. It leverages the unsafe use of create_function() to execute arbitrary commands through a crafted HTTP request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mantis Bug Tracker <= 1.1.3
Auth required
Prerequisites: Network access to the target · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by nmurilo · poc
https://github.com/nmurilo/CVE-2008-4687-exploit

This repository contains a functional Python exploit for CVE-2008-4687, which targets a code execution vulnerability in MantisBT via the 'sort' parameter in manage_proj_page.php. The exploit leverages PHP code injection through the create_function call in the multi_sort function.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MantisBT before 1.1.4
Auth required
Prerequisites: Valid credentials for MantisBT · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by twisted007 · poc
https://github.com/twisted007/mantis_rce

This repository contains a functional Python exploit for CVE-2008-4687, targeting Mantis Bug Tracker versions prior to 1.2.x. The exploit leverages a PHP code injection vulnerability in the 'manage_proj_page.php' page via a crafted cookie, leading to remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mantis Bug Tracker < 1.2.x
Auth required
Prerequisites: Valid credentials for Mantis Bug Tracker · Network access to the target · Listener set up for reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by EgiX, Lars Sorenson · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mantisbt_manage_proj_page_rce.rb

This Metasploit module exploits a post-authentication RCE vulnerability in MantisBT (CVE-2008-4687) by injecting PHP code via the 'sort' parameter in manage_proj_page.php. It includes authentication handling and payload delivery via base64-encoded commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MantisBT <= 1.1.3
Auth required
Prerequisites: Valid MantisBT credentials · Access to manage_proj_page.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Issue Tracking x_refsource_confirm
https://bugs.gentoo.org/show_bug.cgi?id=242722
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32975
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/31789
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200812-07.xml
Various Sources x_refsource_confirm
http://www.mantisbt.org/bugs/view.php?id=0009704
Various Sources x_refsource_confirm
http://www.mantisbt.org/bugs/changelog_page.php
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44611/
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32314
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2008/10/19/1
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6768
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/45942
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/4470

Scores

EPSS 0.7923
EPSS Percentile 99.1%

Details

CWE
CWE-94
Status published
Products (13)
mantis/mantis 0.19.3
mantis/mantis 0.19.4
mantis/mantis 1.0.1
mantis/mantis 1.0.2
mantis/mantis 1.0.3
mantis/mantis 1.0.4
mantis/mantis 1.0.5
mantis/mantis 1.0.6
mantis/mantis 1.0.7
mantis/mantis 1.0.8
... and 3 more
Published Oct 22, 2008
Tracked Since Feb 18, 2026