Submit #18903: Mantis Bug Tracker 2.24.3 API SOAP Blind SQL Injectioninfo

TitleMantis Bug Tracker 2.24.3 API SOAP Blind SQL Injection
DescriptionIn MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP. Sending a empty value as String in the Access parameter, we can get a respone with a SQL error. CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-28413 POC: https://www.exploit-db.com/exploits/49340 https://packetstormsecurity.com/files/160750/Mantis-Bug-Tracker-2.24.3-SQL-Injection.html Details: https://ethicalhcop.medium.com/cve-2020-28413-blind-sql-injection-en-mantis-bug-tracker-2-24-3-api-soap-54238f8e046d
Source⚠️ https://ethicalhcop.medium.com/cve-2020-28413-blind-sql-injection-en-mantis-bug-tracker-2-24-3-api-soap-54238f8e046d
User
 EthicalHCOP (UID 4258)
Submission08/24/2021 10:24 (5 years ago)
Moderation08/24/2021 11:05 (41 minutes later)
StatusDuplicate
VulDB entry167047 [MantisBT up to 2.24.3 API SOAP mc_project_get_users Access sql injection]
Points0

Do you want to use VulDB in your project?

Use the official API to access entries easily!