View Issue Details

IDProjectCategoryView StatusLast Update
0026162mantisbtsecuritypublic2019-09-27 02:35
Reporterdregad Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.8 
Target Version1.3.20Fixed in Version1.3.20 
Summary0026162: CVE-2019-15715: Command Execution / Injection Vulnerability
Description

This is a clone of 0026091 for tracking in the 1.3.x branch's changelog.

TagsNo tags attached.

Relationships

duplicate of 0026091 closedatrol CVE-2019-15715: [Admin Required - Post Authentication] Command Execution / Injection Vulnerability 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.3.x cebfb9ac

2019-09-21 08:02

dregad


Details Diff
Escape GraphViz command before calling proc_open()

Fixes 0026162, CVE-2019-15715

(cherry picked from commit 5fb979604d88c630343b3eaf2b435cd41918c501)
Affected Issues
0026162
mod - core/graphviz_api.php Diff File

MantisBT: master-1.3.x 7092573f

2019-09-21 08:10

dregad


Details Diff
Prevent arbitrary shell command execution

Prior to this, Administrators were able to edit 'dot_tool' and
'neato_tool' config options from the Manage Configuration Page

These can now only be set in the config_inc.php file.

Fixes 0026162, CVE-2019-15715

Backported from fc7668c8e45db55fc3a4b991ea99d2b80861a14c.
Affected Issues
0026162
mod - config_defaults_inc.php Diff File