View Issue Details

IDProjectCategoryView StatusLast Update
0026162mantisbtsecuritypublic2019-09-27 02:35
Reporterdregad Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.8 
Target Version1.3.20Fixed in Version1.3.20 
Summary0026162: CVE-2019-15715: Command Execution / Injection Vulnerability
Description

This is a clone of 0026091 for tracking in the 1.3.x branch's changelog.

TagsNo tags attached.

Relationships

duplicate of 0026091 closedatrol CVE-2019-15715: [Admin Required - Post Authentication] Command Execution / Injection Vulnerability 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.3.x cebfb9ac

2019-09-21 12:02:59

dregad

Details Diff
Escape GraphViz command before calling proc_open()

Fixes 0026162, CVE-2019-15715

(cherry picked from commit 5fb979604d88c630343b3eaf2b435cd41918c501)
Affected Issues
0026162
mod - core/graphviz_api.php Diff File

MantisBT: master-1.3.x 7092573f

2019-09-21 12:10:24

dregad

Details Diff
Prevent arbitrary shell command execution

Prior to this, Administrators were able to edit 'dot_tool' and
'neato_tool' config options from the Manage Configuration Page

These can now only be set in the config_inc.php file.

Fixes 0026162, CVE-2019-15715

Backported from fc7668c8e45db55fc3a4b991ea99d2b80861a14c.
Affected Issues
0026162
mod - config_defaults_inc.php Diff File

Issue History

Date Modified Username Field Change
2019-09-21 12:13 dregad New Issue
2019-09-21 12:13 dregad Status new => assigned
2019-09-21 12:13 dregad Assigned To => dregad
2019-09-21 12:13 dregad Issue generated from: 0026091
2019-09-21 12:13 dregad Relationship added duplicate of 0026091
2019-09-21 12:17 dregad Target Version => 1.3.20
2019-09-21 12:18 dregad Changeset attached => MantisBT master-1.3.x 7092573f
2019-09-21 12:18 dregad Changeset attached => MantisBT master-1.3.x cebfb9ac
2019-09-21 12:18 dregad Status assigned => resolved
2019-09-21 12:18 dregad Resolution open => fixed
2019-09-21 12:18 dregad Fixed in Version => 1.3.20
2019-09-27 02:35 dregad Status resolved => closed
2019-09-27 02:35 dregad View Status private => public