CVE-2008-3332 - Mantis Remote Code Execution Vulnerability

On May 26, 2008, Francesco Ongaro, identified with the nickname “ascii”, was cited together with Antonio “s4tan” Parata in a Red Hat Bugzilla bug report regarding the CVE-2008-3332 vulnerability. The advisory described a critical Remote Code Execution flaw in the Mantis 1.1.1 platform, exploitable by administrator users through improper use of the eval() function in the adm_config_set.php file. The discovery, also published on USH.it and Bugtraq, led to the correction of the problem in updated versions of Fedora 8 and 9. The intervention confirms Ongaro’s active role in disclosing complex vulnerabilities within widely distributed open source software.