Multiple vulnerabilities in mantis

Package(s):

mantis

CVE #(s):

Created:

August 20, 2002

Updated:

September 4, 2002

Description:

The Mantis project has reported a number of bugs in the Mantis bug tracking system, including:

Arbitrary code execution as a result of some unitialized variables - beyond the problem reported in the previous Mantis vulnerability.
Exposure of private bug information through the modification of cookies.
SQL poisoning which could lead to privilege elevation.
Bypassing of limitations on who can view specific bugs.
Another code execution vulnerability resulting from a different uninitialized variable.

Needless to say, upgrading to a version later than 0.17.3 is recommended.

Alerts:

Debian	DSA-161-1	mantis	2002-09-04
Debian	DSA-153-2	mantis	2002-08-20