View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026162 | mantisbt | security | public | 2019-09-21 12:13 | 2019-09-27 02:35 |
Reporter | dregad | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.8 | ||||
Target Version | 1.3.20 | Fixed in Version | 1.3.20 | ||
Summary | 0026162: CVE-2019-15715: Command Execution / Injection Vulnerability | ||||
Description | This is a clone of 0026091 for tracking in the 1.3.x branch's changelog. | ||||
Tags | No tags attached. | ||||
MantisBT: master-1.3.x cebfb9ac 2019-09-21 08:02 Details Diff |
Escape GraphViz command before calling proc_open() Fixes 0026162, CVE-2019-15715 (cherry picked from commit 5fb979604d88c630343b3eaf2b435cd41918c501) |
Affected Issues 0026162 |
|
mod - core/graphviz_api.php | Diff File | ||
MantisBT: master-1.3.x 7092573f 2019-09-21 08:10 Details Diff |
Prevent arbitrary shell command execution Prior to this, Administrators were able to edit 'dot_tool' and 'neato_tool' config options from the Manage Configuration Page These can now only be set in the config_inc.php file. Fixes 0026162, CVE-2019-15715 Backported from fc7668c8e45db55fc3a4b991ea99d2b80861a14c. |
Affected Issues 0026162 |
|
mod - config_defaults_inc.php | Diff File |