CVE-2014-8598

MantisBT < 1.2.17 - Unauthenticated Arbitrary File Upload and Information Disclosure via XML Import/Export Plugin

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-8598. PoCs published by Metasploit, Egidio Romano, including Metasploit module exploits/multi/http/mantisbt_php_exec.

AI-analyzed exploit summary This Metasploit module exploits a post-auth PHP code injection vulnerability in MantisBT's XmlImportExport plugin (CVE-2014-8598). It leverages the /e modifier in preg_replace() to execute arbitrary PHP code via crafted XML input, bypassing user level checks to allow exploitation even with anonymous access.

Description

The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsmultiple
https://www.exploit-db.com/exploits/41685

This Metasploit module exploits a post-auth PHP code injection vulnerability in MantisBT's XmlImportExport plugin (CVE-2014-8598). It leverages the /e modifier in preg_replace() to execute arbitrary PHP code via crafted XML input, bypassing user level checks to allow exploitation even with anonymous access.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MantisBT with XmlImportExport plugin versions 1.2.0a3 to 1.2.17
No auth needed
Prerequisites: MantisBT with vulnerable XmlImportExport plugin installed · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Egidio Romano · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mantisbt_php_exec.rb

This Metasploit module exploits a post-authentication PHP code injection vulnerability in MantisBT's XmlImportExport plugin (CVE-2014-8598). It leverages the /e modifier in preg_replace() to execute arbitrary PHP code via crafted XML input, bypassing user level checks to allow exploitation even with anonymous access.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MantisBT with XmlImportExport plugin versions 1.2.0a3 to 1.2.17
No auth needed
Prerequisites: XmlImportExport plugin installed · Network access to MantisBT instance
devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (7)

Core 7
Core References
Vendor Advisory x_refsource_confirm
https://github.com/mantisbt/mantisbt/commit/80a15487
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/98573
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/70996
Vendor Advisory x_refsource_confirm
http://www.mantisbt.org/bugs/view.php?id=17780
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62101
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3120
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/11/07/28

Scores

EPSS 0.6736
EPSS Percentile 98.6%

Details

CWE
CWE-19
Status published
Products (1)
mantisbt/mantisbt < 1.2.17
Published Nov 18, 2014
Tracked Since Feb 18, 2026