CVE-2018-6382: SQL Injection
First published: Tue Jan 30 2018(Updated: )
** DISPUTED ** MantisBT 2.10.0 allows local users to conduct SQL Injection attacks via the vendor/adodb/adodb-php/server.php sql parameter in a request to the 127.0.0.1 IP address. NOTE: the vendor disputes the significance of this report because server.php is intended to execute arbitrary SQL statements on behalf of authenticated users from 127.0.0.1, and the issue does not have an authentication bypass.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mantisbt Mantisbt | =2.10.0 | |
| =2.10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-6382?
CVE-2018-6382 is a vulnerability in MantisBT 2.10.0 that allows local users to conduct SQL Injection attacks.
How does CVE-2018-6382 work?
CVE-2018-6382 works by exploiting the 'sql' parameter in a request to the 127.0.0.1 IP address.
What is the severity of CVE-2018-6382?
CVE-2018-6382 has a severity keyword of 'low' and a severity value of 3.3.
What software is affected by CVE-2018-6382?
MantisBT 2.10.0 is affected by CVE-2018-6382.
How can I fix CVE-2018-6382?
To fix CVE-2018-6382, update MantisBT to a version that is not affected or apply the vendor's security patch.
- collector/nvd-index
- agent/references
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/author
- agent/status
- agent/softwarecombine
- agent/description
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- status/disputed
- vendor/mantisbt
- canonical/mantisbt mantisbt
- version/mantisbt mantisbt/2.10.0