cbcvebase.
CVE-2008-4687
published 2008-10-22

CVE-2008-4687: manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which…

PriorityP266critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
67.45%
99.2th percentile
manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.

Affected

13 ranges
VendorProductVersion rangeFixed in
mantismantis<= 1.1.3
mantismantis
mantismantis
mantismantis
mantismantis
mantismantis
mantismantis
mantismantis
mantismantis
mantismantis
mantismantis
mantismantis
mantismantis

Detection & IOCsextracted from sources · hover to see the quote

pathmanage_proj_page.php
pathcore/utility_api.php
command']);}error_reporting(0);print(_code_);eval(base64_decode($_SERVER[HTTP_CMD]));die();#
url/mantisbt/manage_proj_page.php
url/mantisbt/login.php
url/mantisbt/login_page.php
cookiePHPSESSID
  • Detect POST requests to manage_proj_page.php containing PHP code injection sequences in the 'sort' parameter, particularly patterns breaking out of array context such as ']);
  • Look for HTTP POST requests to manage_proj_page.php with a custom 'Cmd' header containing base64-encoded payloads, used to pass the PHP eval payload via $_SERVER[HTTP_CMD]
  • Flag HTTP requests to manage_proj_page.php whose POST body 'sort' parameter contains eval, base64_decode, or error_reporting function calls indicative of PHP code injection
  • Monitor for Mantis versions 1.1.3 and earlier (pre-1.1.4) as these are confirmed vulnerable; version string is detectable from login_page.php response body matching /Mantis ([0-9]+\.[0-9]+\.[0-9]+)/
  • ·Exploitation requires prior authentication; the attacker must have valid Mantis credentials before the RCE payload can be delivered to manage_proj_page.php
  • ·The default installation path used by the Metasploit module is /mantisbt/; deployments under different base paths will require adjusted detection rules targeting the correct URI prefix

CVSS provenance

nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.