cbcvebase.
CVE-2014-8598
published 2014-11-18

CVE-2014-8598: The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or…

PriorityP355medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
38.46%
98.4th percentile
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.

Affected

1 ranges
VendorProductVersion rangeFixed in
mantisbtmantisbt<= 1.2.17

Detection & IOCsextracted from sources · hover to see the quote

pathplugins/XmlImportExport/ImportXml.php
urlplugin.php?page=XmlImportExport/import
urlplugin.php?page=XmlImportExport/import_action
  • Monitor HTTP POST requests to plugin.php?page=XmlImportExport/import_action containing multipart XML file uploads; the payload is embedded in the <description> field or issuelink attribute of the XML using the pattern {${eval(base64_decode(...))}}.
  • Alert on unauthenticated or low-privilege access to the XmlImportExport import and export pages; the plugin does not perform access level checks, making exploitation possible even with anonymous users.
  • Detect XML file uploads to MantisBT containing base64-encoded PHP payloads within the description or issuelink fields, specifically the eval(base64_decode(...)) pattern used by the exploit.
  • Flag access to the XmlImportExport export page by any user without appropriate access level, as it can expose all bug-related data including usernames.
  • Inspect SOAP requests to mantisconnect.php for version fingerprinting activity (mc_version calls), which is used by the exploit module to confirm a vulnerable MantisBT instance before exploitation.
  • ·The vulnerability is only exploitable when the XmlImportExport plugin is installed and enabled in MantisBT; instances without the plugin are not affected.
  • ·Exploitation without credentials is only possible if anonymous access is enabled on the MantisBT instance; otherwise, at minimum a low-privilege authenticated account is required.
  • ·CVE-2014-8598 (access control bypass) is most dangerous when chained with CVE-2014-7146 (preg_replace /e code injection); the access control flaw alone enables data exfiltration via the export page.
  • ·Affected versions are 1.2.0a3 through 1.2.17 inclusive; the fix was introduced in 1.2.18.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.