The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
core/database_api.php in Mantis 0.19.0a1 through 1.0.0a3, with register_globals enabled, allows remote attackers to connect to internal databases by modifying the g_db_type variable and monitoring the speed of responses, as identified by bug#0005956.
|19815||GLSA-200509-16 : Mantis: XSS and SQL injection vulnerabilities||Nessus||Gentoo Local Security Checks|
|19475||Debian DSA-778-1 : mantis - missing input sanitising||Nessus||Debian Local Security Checks|
|19473||Mantis < 1.0.0rc2 Multiple Vulnerabilities||Nessus||CGI abuses|
|3173||Mantis < 0.19.3 Multiple Injection Vulnerabilities||Nessus Network Monitor||CGI|