CVE-2019-15715

HIGH

Mantisbt < 1.3.20 - OS Command Injection

Title source: rule

Description

MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.

Exploits (2)

exploitdb WORKING POC

by Nikolas Geiselman · pythonwebappsphp

https://www.exploit-db.com/exploits/48818

View Code ZIP pw:eip

nomisec WORKING POC

by mcornaglia · poc

https://github.com/mcornaglia/CVE-2019-15715

View Code ZIP pw:eip

References (8)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/159219/Mantis-Bug-Tracker-2.3.0-Remote-Code-Execution.html

[Patch, Third Party Advisory] https://github.com/mantisbt/mantisbt/commit/5fb979604d88c630343b3eaf2b435cd41918c501

[Patch, Third Party Advisory] https://github.com/mantisbt/mantisbt/commit/7092573fac31eff41823f13540324db167c8bd52

[Patch, Third Party Advisory] https://github.com/mantisbt/mantisbt/commit/cebfb9acb3686e8904d80bd4bc80720b54ba08e5

[Patch, Third Party Advisory] https://github.com/mantisbt/mantisbt/commit/fc7668c8e45db55fc3a4b991ea99d2b80861a14c

[Release Notes, Vendor Advisory] https://mantisbt.org/bugs/changelog_page.php?project=mantisbt

[Exploit, Issue Tracking, Vendor Advisory] https://mantisbt.org/bugs/view.php?id=26091

[Exploit, Issue Tracking, Vendor Advisory] https://mantisbt.org/bugs/view.php?id=26162

Scores

CVSS v3 7.2

EPSS 0.2133

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

mantisbt/mantisbt 0 - 1.3.20Packagist

mantisbt/mantisbt 1.0.0 - 1.3.20

Published Oct 09, 2019

Tracked Since Feb 18, 2026