GHSA-v642-mh27-8j6m

Suggest an improvement
Source
https://github.com/advisories/GHSA-v642-mh27-8j6m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v642-mh27-8j6m/GHSA-v642-mh27-8j6m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-v642-mh27-8j6m
Aliases
Published
2023-10-17T14:20:36Z
Modified
2023-11-10T05:37:29.497928Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
MantisBT may disclose project names to unauthorized users
Details

Impact

Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs.

Patches

Patch under development. The vulnerability will be fixed in MantisBT version 2.25.8.

Workarounds

Disable wiki integration ( $g_wiki_enable = OFF;)

References

  • https://mantisbt.org/bugs/view.php?id=32981
Database specific
{
    "nvd_published_at": "2023-10-16T22:15:12Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-668"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-17T14:20:36Z"
}
References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name
mantisbt/mantisbt
Purl
pkg:composer/mantisbt/mantisbt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.25.8

Affected versions

2.*

2.3.0
2.3.1
2.3.2
2.3.3
2.4.0
2.4.1
2.4.2
2.5.0
2.5.1
2.5.2
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.10.0
2.10.1
2.11.0
2.11.1
2.12.0
2.12.1
2.12.2
2.13.0
2.13.1
2.13.2
2.14.0
2.15.0
2.15.1
2.16.0
2.16.1
2.17.0
2.17.1
2.17.2
2.18.0
2.18.1
2.19.0
2.19.1
2.20.0
2.20.1
2.21.0
2.21.1
2.21.2
2.21.3
2.22.0
2.22.1
2.22.2
2.23.0
2.23.1
2.24.0
2.24.1
2.24.2
2.24.3
2.24.4
2.24.5
2.25.0
2.25.1
2.25.2
2.25.3
2.25.4
2.25.5
2.25.6
2.25.7

Database specific

{
    "last_known_affected_version_range": "<= 2.25.7"
}