VulnerableCode Package Details - pkg:composer/mantisbt/mantisbt@2.15.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-jqsn-z754-57ek Aliases: CVE-2020-25781 GHSA-xjmx-cprh-646r	MantisBT unauthorized users able to access private files An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.	2.24.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-jqsn-z754-57ek
Aliases:
CVE-2020-25781
GHSA-xjmx-cprh-646r

MantisBT unauthorized users able to access private files An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.

2.24.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-dy4y-w8g5-9udt	MantisBT allows XSS on the Edit Filter page via crafted filter name An issue was discovered in manage_filter_edit_page.php in MantisBT 2.x through 2.15.0. A cross-site scripting (XSS) vulnerability in the Edit Filter page allows execution of arbitrary code (if CSP settings permit it) when displaying a filter with a crafted name (e.g., 'foobar" onclick="alert(1)').	CVE-2018-14504 GHSA-74gh-5j33-vg4w
VCID-x9k5-hczy-u3cd	MantisBT allows XSS via View Filters page A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) in MantisBT 2.1.0 through 2.15.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO.	CVE-2018-13055 GHSA-mjp7-97w4-jwhc

Vulnerability

Summary

Aliases

VCID-dy4y-w8g5-9udt

MantisBT allows XSS on the Edit Filter page via crafted filter name An issue was discovered in manage_filter_edit_page.php in MantisBT 2.x through 2.15.0. A cross-site scripting (XSS) vulnerability in the Edit Filter page allows execution of arbitrary code (if CSP settings permit it) when displaying a filter with a crafted name (e.g., 'foobar" onclick="alert(1)').

CVE-2018-14504
GHSA-74gh-5j33-vg4w

VCID-x9k5-hczy-u3cd

MantisBT allows XSS via View Filters page A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) in MantisBT 2.1.0 through 2.15.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO.

CVE-2018-13055
GHSA-mjp7-97w4-jwhc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:51:38.482145+00:00	GHSA Importer	Affected by	VCID-jqsn-z754-57ek	https://github.com/advisories/GHSA-xjmx-cprh-646r	38.6.0
2026-06-04T17:56:47.675928+00:00	GithubOSV Importer	Fixing	VCID-x9k5-hczy-u3cd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mjp7-97w4-jwhc/GHSA-mjp7-97w4-jwhc.json	38.6.0
2026-06-04T17:55:09.003062+00:00	GithubOSV Importer	Fixing	VCID-dy4y-w8g5-9udt	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-74gh-5j33-vg4w/GHSA-74gh-5j33-vg4w.json	38.6.0
2026-06-02T04:43:31.700169+00:00	GitLab Importer	Fixing	VCID-x9k5-hczy-u3cd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2018-13055.yml	38.6.0
2026-06-02T04:43:17.824186+00:00	GitLab Importer	Fixing	VCID-dy4y-w8g5-9udt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2018-14504.yml	38.6.0