| Name | CVE-2014-1608 |
| Description | SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-3030-1 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| mantis | source | squeeze | (unfixed) | end-of-life | ||
| mantis | source | wheezy | 1.2.11-1.2+deb7u1 | DSA-3030-1 | ||
| mantis | source | (unstable) | (unfixed) |
[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
https://github.com/mantisbt/mantisbt/commit/00b4c17088fa56594d85fe46b6c6057bb3421102