CVE-2020-25781

Опубликовано: 30 сент. 2020

Источник: nvd

CVSS3: 4.3

CVSS2: 4

EPSS Низкий

Описание

An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.

Ссылки

http://github.com/mantisbt/mantisbt/commit/5595c90f11c48164331a20bb9c66098980516e93
Patch
Third Party Advisory
http://github.com/mantisbt/mantisbt/commit/9de20c09e5a557e57159a61657ce62f1a4f578fe
Patch
Third Party Advisory
https://mantisbt.org/bugs/view.php?id=27039
Exploit
Patch
Vendor Advisory
http://github.com/mantisbt/mantisbt/commit/5595c90f11c48164331a20bb9c66098980516e93
Patch
Third Party Advisory
http://github.com/mantisbt/mantisbt/commit/9de20c09e5a557e57159a61657ce62f1a4f578fe
Patch
Third Party Advisory
https://mantisbt.org/bugs/view.php?id=27039
Exploit
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*

Версия до 2.24.3 (исключая)

EPSS

Процентиль: 49%

0.00258

Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-862

Связанные уязвимости

CVE-2020-25781

CVSS3: 4.3

ubuntu

больше 5 лет назад

CVE-2020-25781

CVSS3: 4.3

debian

больше 5 лет назад

An issue was discovered in file_download.php in MantisBT before 2.24.3 ...

GHSA-xjmx-cprh-646r

CVSS3: 4.3

github

больше 3 лет назад

MantisBT unauthorized users able to access private files

EPSS

Процентиль: 49%

0.00258

Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-862