CVE-2014-2238
published 2014-03-05CVE-2014-2238: SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated…
PriorityP351medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
11.31%
95.4th percentile
SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mantisbt | mantisbt | — | — |
| mantisbt | mantisbt | — | — |
| mantisbt | mantisbt | — | — |
| mantisbt | mantisbt | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MantisBT 1.2.13/1.2.14/1.2.15/1.2.16 adm_config_report.php filter_config_id sql injection (Nessus ID 80913 / ID 123311)
vuldb·2026-05-07·CVSS 6.5
CVE-2014-2238 [MEDIUM] MantisBT 1.2.13/1.2.14/1.2.15/1.2.16 adm_config_report.php filter_config_id sql injection (Nessus ID 80913 / ID 123311)
A vulnerability categorized as critical has been discovered in MantisBT 1.2.13/1.2.14/1.2.15/1.2.16. This affects an unknown function of the file adm_config_report.php. Such manipulation of the argument filter_config_id leads to sql injection.
This vulnerability is documented as CVE-2014-2238. The attack can be executed remotely. Additionally, an exploit exists.
GHSA
GHSA-qh35-6wj2-6prp: SQL injection vulnerability in the manage configuration page (adm_config_report
ghsa_unreviewed·2022-05-17
CVE-2014-2238 [MEDIUM] CWE-89 GHSA-qh35-6wj2-6prp: SQL injection vulnerability in the manage configuration page (adm_config_report
SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter.
No detection rules found.
Bugzilla
CVE-2014-2238 mantis: SQL injection vulnerability
bugzilla·2014-02-28·CVSS 6.5
CVE-2014-2238 [MEDIUM] CVE-2014-2238 mantis: SQL injection vulnerability
CVE-2014-2238 mantis: SQL injection vulnerability
It was reported [1],[2] that MantisBT suffers from an SQL injection vulnerability. admin_config_report.php relied on unsanitized, inlined query parameters, enabling a malicious user to perform an SQL injection attack. An administrative account is required to access this page, however.
This has been corrected in git [3]; it was introduced in version 1.2.13, so versions prior to that are unaffected; only 1.2.13 up to and including 1.2.16 are affected.
[1] http://www.mantisbt.org/bugs/view.php?id=17055
[2] http://seclists.org/oss-sec/2014/q1/456
[3] https://github.com/mantisbt/mantisbt/commit/a608f2d00a6eb0641605358cb683c176e671dc04
Discussion:
Created mantis tracking bugs for this issue:
Affects: fedora-all [bug 1071460]
---
mantis-1
Bugzilla
CVE-2014-2238 mantis: SQL injection vulnerability [fedora-all]
bugzilla·2014-02-28·CVSS 6.5
CVE-2014-2238 [MEDIUM] CVE-2014-2238 mantis: SQL injection vulnerability [fedora-all]
CVE-2014-2238 mantis: SQL injection vulnerability [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple s
http://mantisbt.domainunion.de/bugs/view.php?id=17055http://seclists.org/oss-sec/2014/q1/456http://seclists.org/oss-sec/2014/q1/490http://www.mantisbt.org/blog/?p=288http://www.securityfocus.com/bid/65903https://exchange.xforce.ibmcloud.com/vulnerabilities/91563http://mantisbt.domainunion.de/bugs/view.php?id=17055http://seclists.org/oss-sec/2014/q1/456http://seclists.org/oss-sec/2014/q1/490http://www.mantisbt.org/blog/?p=288http://www.securityfocus.com/bid/65903https://exchange.xforce.ibmcloud.com/vulnerabilities/91563
2014-03-05
Published