CVE-2018-6382
Last modified
CVE-2018-6382 is a vulnerability of currently unknown severity. MantisBT 2.10.0 allows local users to conduct SQL Injection attacks via the vendor/adodb/adodb-php/server.php sql parameter in a request to the 127.0.0.1 IP address. NOTE: the vendor disputes the significance of this report because server.php is intended to execute arbitrary SQL statements on behalf of authenticated users from 127.0.0.1, and the issue does not have an authentication bypass. EPSS estimates a 0.54% chance of exploitation in the next 30 days.
Description
MantisBT 2.10.0 allows local users to conduct SQL Injection attacks via the vendor/adodb/adodb-php/server.php sql parameter in a request to the 127.0.0.1 IP address. NOTE: the vendor disputes the significance of this report because server.php is intended to execute arbitrary SQL statements on behalf of authenticated users from 127.0.0.1, and the issue does not have an authentication bypass
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mantisbt | Mantisbt | 2.10.0 |
References
- http://archive.is/https:/mantisbt.org/bugs/view.php?id=23908Vendor Advisory
- https://mantisbt.org/bugs/view.php?id=23908Issue Tracking, Vendor Advisory
- http://archive.is/https:/mantisbt.org/bugs/view.php?id=23908Vendor Advisory
- https://mantisbt.org/bugs/view.php?id=23908Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-6382?
How severe is CVE-2018-6382?
How do I fix CVE-2018-6382?
Are you affected by CVE-2018-6382?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST