First published: Tue Nov 18 2014(Updated: )
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
MantisBT | =1.2.17 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2014-7146 has a high severity rating due to its potential to allow remote code execution.
To fix CVE-2014-7146, upgrade to MantisBT version 1.2.18 or later, where the vulnerability has been addressed.
CVE-2014-7146 affects MantisBT versions 1.2.17 and earlier.
CVE-2014-7146 is associated with remote code execution attacks through crafted XML files.
Mitigation for CVE-2014-7146 includes applying software patches and implementing security measures to validate XML input.