Unrestricted Access and Arbitrary File Upload Vulnerability in MantisBT XML Import/Export Plugin

Unrestricted Access and Arbitrary File Upload Vulnerability in MantisBT XML Import/Export Plugin

CVE-2014-8598 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:P/A:N

The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.

Learn more about our Web Application Penetration Testing UK.