MantisBT 1.2.13 - 1.2.16 'admin_config_report.php' SQLi

medium Nessus Plugin ID 80913


The remote web server contains a PHP application that is affected by a SQL injection vulnerability.


According to its version number, the MantisBT application hosted on the remote web server is 1.2.13 or later but prior to 1.2.17. It is, therefore, affected by an input validation error related to the 'filter_config_id' parameter in the script 'admin_config_report.php', which could allow SQL injection attacks.

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.


Upgrade to version 1.2.17 or later.

See Also

Plugin Details

Severity: Medium

ID: 80913

File Name: mantis_1_2_17.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 1/22/2015

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information


Risk Factor: Medium

Score: 6.7


Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:mantisbt:mantisbt

Required KB Items: Settings/ParanoidReport, installed_sw/MantisBT

Exploit Ease: No known exploits are available

Patch Publication Date: 3/4/2014

Vulnerability Publication Date: 2/28/2014

Reference Information

CVE: CVE-2014-2238

BID: 65903