cbcvebase.
CVE-2019-15715
published 2019-10-09

CVE-2019-15715: MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.

PriorityP266high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
30.00%
98.0th percentile
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.

Affected

4 ranges
VendorProductVersion rangeFixed in
mantisbtmantisbt>= 0 < 1.3.201.3.20
mantisbtmantisbt>= 1.0.0 < 1.3.201.3.20
mantisbtmantisbt>= 2.0.0 < 2.22.12.22.1
mantisbtmantisbt>= 2.0.0 < 2.22.12.22.1

Detection & IOCsextracted from sources · hover to see the quote

path/verify.php
path/account_update.php
path/adm_config_report.php
path/adm_config_set.php
path/workflow_graph_img.php
path/adm_config_delete.php
  • Monitor POST requests to /adm_config_set.php setting config_option=dot_tool with a shell command as the value; this is the injection sink for CVE-2019-15715.
  • A GET request to /workflow_graph_img.php immediately after setting dot_tool config is the trigger for the command injection RCE; alert on this endpoint being accessed by admin-session cookies shortly after adm_config_set.php writes.
  • The exploit chains CVE-2017-7615 (unauthenticated password reset via /verify.php with blank confirm_hash) before exploiting CVE-2019-15715; detect unauthenticated GET to /verify.php?id=1&confirm_hash= (empty confirm_hash parameter).
  • Detect POST to /adm_config_set.php with config_option=relationship_graph_enable followed by config_option=dot_tool in rapid succession from the same session — this is the two-step exploit setup sequence.
  • The injected dot_tool value contains a base64-encoded bash reverse shell piped through 'base64 -d | /bin/bash'; inspect the value field of adm_config_set.php POST bodies for base64 strings decoded to bash TCP redirections.
  • The exploit targets MantisBT versions 1.3.0 and 2.3.0 (before 1.3.20 / 2.22.1); ensure version detection rules flag these specific version strings in HTTP response headers or page footers.
  • ·The exploit requires a prior account hijack step (CVE-2017-7615) to obtain admin credentials before the CVE-2019-15715 command injection can be triggered; the vulnerability itself is post-authentication but the full chain is unauthenticated.
  • ·The NVD description classifies this as Post Authentication Command Injection; standalone exploitation of CVE-2019-15715 requires valid admin credentials.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.