CVE-2019-15715
published 2019-10-09CVE-2019-15715: MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
PriorityP266high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
30.00%
98.0th percentile
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mantisbt | mantisbt | >= 0 < 1.3.20 | 1.3.20 |
| mantisbt | mantisbt | >= 1.0.0 < 1.3.20 | 1.3.20 |
| mantisbt | mantisbt | >= 2.0.0 < 2.22.1 | 2.22.1 |
| mantisbt | mantisbt | >= 2.0.0 < 2.22.1 | 2.22.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /adm_config_set.php setting config_option=dot_tool with a shell command as the value; this is the injection sink for CVE-2019-15715. ↗
- →A GET request to /workflow_graph_img.php immediately after setting dot_tool config is the trigger for the command injection RCE; alert on this endpoint being accessed by admin-session cookies shortly after adm_config_set.php writes. ↗
- →The exploit chains CVE-2017-7615 (unauthenticated password reset via /verify.php with blank confirm_hash) before exploiting CVE-2019-15715; detect unauthenticated GET to /verify.php?id=1&confirm_hash= (empty confirm_hash parameter). ↗
- →Detect POST to /adm_config_set.php with config_option=relationship_graph_enable followed by config_option=dot_tool in rapid succession from the same session — this is the two-step exploit setup sequence. ↗
- →The injected dot_tool value contains a base64-encoded bash reverse shell piped through 'base64 -d | /bin/bash'; inspect the value field of adm_config_set.php POST bodies for base64 strings decoded to bash TCP redirections. ↗
- →The exploit targets MantisBT versions 1.3.0 and 2.3.0 (before 1.3.20 / 2.22.1); ensure version detection rules flag these specific version strings in HTTP response headers or page footers. ↗
- ·The exploit requires a prior account hijack step (CVE-2017-7615) to obtain admin credentials before the CVE-2019-15715 command injection can be triggered; the vulnerability itself is post-authentication but the full chain is unauthenticated. ↗
- ·The NVD description classifies this as Post Authentication Command Injection; standalone exploitation of CVE-2019-15715 requires valid admin credentials. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MantisBT Remote Code Execution
ghsa·2022-05-24
CVE-2019-15715 [HIGH] CWE-78 MantisBT Remote Code Execution
MantisBT Remote Code Execution
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
OSV
MantisBT Remote Code Execution
osv·2022-05-24
CVE-2019-15715 [HIGH] MantisBT Remote Code Execution
MantisBT Remote Code Execution
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159219/Mantis-Bug-Tracker-2.3.0-Remote-Code-Execution.htmlhttps://github.com/mantisbt/mantisbt/commit/5fb979604d88c630343b3eaf2b435cd41918c501https://github.com/mantisbt/mantisbt/commit/7092573fac31eff41823f13540324db167c8bd52https://github.com/mantisbt/mantisbt/commit/cebfb9acb3686e8904d80bd4bc80720b54ba08e5https://github.com/mantisbt/mantisbt/commit/fc7668c8e45db55fc3a4b991ea99d2b80861a14chttps://mantisbt.org/bugs/changelog_page.php?project=mantisbthttps://mantisbt.org/bugs/view.php?id=26091https://mantisbt.org/bugs/view.php?id=26162http://packetstormsecurity.com/files/159219/Mantis-Bug-Tracker-2.3.0-Remote-Code-Execution.htmlhttps://github.com/mantisbt/mantisbt/commit/5fb979604d88c630343b3eaf2b435cd41918c501https://github.com/mantisbt/mantisbt/commit/7092573fac31eff41823f13540324db167c8bd52https://github.com/mantisbt/mantisbt/commit/cebfb9acb3686e8904d80bd4bc80720b54ba08e5https://github.com/mantisbt/mantisbt/commit/fc7668c8e45db55fc3a4b991ea99d2b80861a14chttps://mantisbt.org/bugs/changelog_page.php?project=mantisbthttps://mantisbt.org/bugs/view.php?id=26091https://mantisbt.org/bugs/view.php?id=26162
2019-10-09
Published