cbcvebase.
CVE-2014-7146
published 2014-11-18

CVE-2014-7146: The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2)…

PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
50.56%
98.8th percentile
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.

Affected

2 ranges
VendorProductVersion rangeFixed in
mantisbtmantisbt<= 1.2.17
mantisbtmantisbt

Detection & IOCsextracted from sources · hover to see the quote

pathplugins/XmlImportExport/ImportXml.php
urlplugin.php?page=XmlImportExport/import
urlplugin.php?page=XmlImportExport/import_action
command{${eval(base64_decode(<payload_b64>))}}1
  • Monitor HTTP POST requests to plugin.php?page=XmlImportExport/import_action containing multipart XML file uploads; the payload embeds PHP code execution via preg_replace /e modifier in the description field or issuelink attribute.
  • Look for the pattern `{${eval(base64_decode(...))}}` inside uploaded XML files or POST bodies to plugin.php, indicating PHP code injection via the preg_replace /e exploit technique.
  • Detect unauthenticated or low-privilege access to the XmlImportExport import/export pages; the plugin does not perform access level checks, making exploitation possible even with anonymous users.
  • Alert on phpinfo() responses from MantisBT endpoints, as the Metasploit module checks for exploitation success by calling phpinfo() and matching 'This program makes use of the Zend' in the response body.
  • Flag XML file uploads to MantisBT where the description field or issuelink attribute contains PHP-executable expressions, consistent with preg_replace /e modifier abuse.
  • ·Exploitation requires the XmlImportExport plugin to be installed; instances without this plugin are not affected.
  • ·The vulnerability is exploitable by any authenticated user, and even anonymously if anonymous access is enabled, due to missing access-level checks on the import page.
  • ·Affected versions are 1.2.0a3 through 1.2.17 inclusive; version 1.2.18 contains the upstream fix.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.