View Issue Details

IDProjectCategoryView StatusLast Update
0019277mantisbtsecuritypublic2015-03-15 19:58
Reporterdregad Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.0-beta.2Fixed in Version1.3.0-beta.2 
Summary0019277: CVE-2014-9573: SQL Injection in manage_user_page.php
Description

This is a clone of 0017940 to track the vulnerability in 1.3.x branch

Additional Information

Advisory ID: HTB23243
Reference: https://www.htbridge.com/advisory/HTB23243

Original report in 0017937

TagsNo tags attached.

Relationships

duplicate of 0017940 closeddregad CVE-2014-9573: SQL Injection in manage_user_page.php 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master 7cc4539f

2014-12-27 07:34

dregad


Details Diff
Fix SQL injection in manage_user_page.php

This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

To avoid injection, the parameters we get from the cookie are now
properly sanitized before being used in the SQL query.

Fixes 0017940
Affected Issues
0017937, 0017940, 0019277
mod - manage_user_page.php Diff File