Headline
GHSA-mcqj-7p29-9528: MantisBT Host Header Injection vulnerability
Impact
Knowing a user’s email address and username, an unauthenticated attacker can hijack the user’s account by poisoning the link in the password reset notification message.
Patches
https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744
Workarounds
Define $g_path as appropriate in config_inc.php.
References
https://mantisbt.org/bugs/view.php?id=19381
Credits
Thanks to the following security researchers for responsibly reporting and helping resolve this vulnerability.
- Pier-Luc Maltais (https://twitter.com/plmaltais)
- Hlib Yavorskyi (https://github.com/Kerkroups)
- Jingshao Chen (https://github.com/shaozi)
- Brandon Roldan
- nhchoudhary
Package
composer mantisbt/mantisbt (Composer)
Affected versions
< 2.26.1
Patched versions
2.26.1
Description
Impact
Knowing a user’s email address and username, an unauthenticated attacker can hijack the user’s account by poisoning the link in the password reset notification message.
Patches
mantisbt/mantisbt@7055731
Workarounds
Define $g_path as appropriate in config_inc.php.
References
https://mantisbt.org/bugs/view.php?id=19381
Credits
Thanks to the following security researchers for responsibly reporting and helping resolve this vulnerability.
- Pier-Luc Maltais (https://twitter.com/plmaltais)
- Hlib Yavorskyi (https://github.com/Kerkroups)
- Jingshao Chen (https://github.com/shaozi)
- Brandon Roldan
- nhchoudhary
References
- GHSA-mcqj-7p29-9528
- mantisbt/mantisbt@7055731
- https://nvd.nist.gov/vuln/detail/CVE-2024-23830
- https://mantisbt.org/bugs/view.php?id=19381
dregad published to mantisbt/mantisbt
Feb 20, 2024
Published by the National Vulnerability Database
Feb 20, 2024
Published to the GitHub Advisory Database
Feb 20, 2024
Reviewed
Feb 20, 2024
Last updated
Feb 21, 2024