CVE-2023-22476

Опубликовано: 23 фев. 2023

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions prior to 2.25.6, due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can access to the Summary field of private Issues (i.e. having Private view status, or belonging to a private Project) via a crafted bug_arr[] parameter in bug_actiongroup_ext.php. This issue is fixed in version 2.25.6. There are no workarounds.

Ссылки

https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79
Third Party Advisory
https://www.mantisbt.org/bugs/view.php?id=31086
Exploit
Issue Tracking
Vendor Advisory
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79
Third Party Advisory
https://www.mantisbt.org/bugs/view.php?id=31086
Exploit
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*

Версия до 2.25.6 (исключая)

EPSS

Процентиль: 51%

0.0028

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-200

NVD-CWE-noinfo

Связанные уязвимости

CVE-2023-22476

CVSS3: 4.3

debian

почти 3 года назад

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In vers ...

GHSA-hf4x-6h87-hm79

CVSS3: 4.3

github

почти 3 года назад

MantisBT may expose private issues' summaries to unauthorized users

EPSS

Процентиль: 51%

0.0028

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-200

NVD-CWE-noinfo