GHSA-g582-8vwr-68h2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g582-8vwr-68h2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-g582-8vwr-68h2/GHSA-g582-8vwr-68h2.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-g582-8vwr-68h2
- Aliases
- Published
- 2025-11-03T20:13:26Z
- Modified
- 2025-11-05T21:01:31.453775Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- MantisBT unauthorized disclosure of private project column configuration
- Details
-
Impact
Due to insufficient access-level checks, any non-admin user having access to manageconfigcolumnspage.php_ (typically project managers having MANAGER role) can use the Copy From action to retrieve the columns configuration from a private project they have no access to.
Access to the reverse operation (Copy To) is correctly controlled, i.e. it is not possible to alter the private project's configuration.
Patches
The vulnerability will be fixed in MantisBT version 2.27.2.
Workarounds
None
Credits
Thanks to d3vpoo1 for reporting the issue.
- Database specific
{ "cwe_ids": [ "CWE-285" ], "github_reviewed": true, "nvd_published_at": "2025-11-04T22:16:38Z", "severity": "MODERATE", "github_reviewed_at": "2025-11-03T20:13:26Z" }- References
Affected packages
Packagist / mantisbt/mantisbt
Package
- Name
- mantisbt/mantisbt
- Purl
- pkg:composer/mantisbt/mantisbt
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.27.2
Affected versions
2.*
2.3.0
2.3.1
2.3.2
2.3.3
2.4.0
2.4.1
2.4.2
2.5.0
2.5.1
2.5.2
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.10.0
2.10.1
2.11.0
2.11.1
2.12.0
2.12.1
2.12.2
2.13.0
2.13.1
2.13.2
2.14.0
2.15.0
2.15.1
2.16.0
2.16.1
2.17.0
2.17.1
2.17.2
2.18.0
2.18.1
2.19.0
2.19.1
2.20.0
2.20.1
2.21.0
2.21.1
2.21.2
2.21.3
2.22.0
2.22.1
2.22.2
2.23.0
2.23.1
2.24.0
2.24.1
2.24.2
2.24.3
2.24.4
2.24.5
2.25.0
2.25.1
2.25.2
2.25.3
2.25.4
2.25.5
2.25.6
2.25.7
2.25.8
2.26.0
2.26.1
2.26.2
2.26.3
2.26.4
2.27.0
2.27.1