Mantis: Multiple vulnerabilities

Mantis: Multiple vulnerabilities Mantis is affected by multiple vulnerabilities ranging from information disclosure to arbitrary script execution. Mantis 2005-10-28 2006-05-22 110326 remote 0.19.3 0.19.3

Mantis is a web-based bugtracking system written in PHP.

Mantis contains several vulnerabilities, including:

a remote file inclusion vulnerability
an SQL injection vulnerability
multiple cross site scripting vulnerabilities
multiple information disclosure vulnerabilities

An attacker could exploit the remote file inclusion vulnerability to execute arbitrary script code, and the SQL injection vulnerability to access or modify sensitive information from the Mantis database. Furthermore the cross-site scripting issues give an attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser. An attacker could exploit other vulnerabilities to disclose information.

There is no known workaround at this time.

All Mantis users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-0.19.3"

Mantis ChangeLog CVE-2005-3335 CVE-2005-3336 CVE-2005-3337 CVE-2005-3338 CVE-2005-3339 jaervosz jaervosz