SQL Injection Vulnerability in MantisBT Bug Tracker by MantisBT
CVE-2020-28413

5.3MEDIUM

Key Information:

Vendor: Mantisbt
Status: Mantisbt
Vendor: CVE Published:; 30 December 2020

What is CVE-2020-28413?

In MantisBT version 2.24.3, a SQL Injection vulnerability can be exploited in the 'access' parameter of the mc_project_get_users function via the SOAP API. This flaw allows attackers to manipulate SQL queries, potentially leading to unauthorized access to sensitive data within the application. It is essential for users of this version to apply necessary security measures to safeguard their systems against this type of injection attack.

References

https://ethicalhcop.medium.com/cve-2020-28413-blind-sql-i...

x_refsource_MISC

http://packetstormsecurity.com/files/160750/Mantis-Bug-Tr...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 30, 2020
Vulnerability Reserved
Nov 10, 2020

Mantisbt

What is CVE-2020-28413?

References

CVSS V3.1

Timeline