GHSA-hf4x-6h87-hm79: MantisBT may expose private issues' summaries to unauthorized users

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

*   Explore
*   All features
*   Documentation
*   GitHub Skills
*   Blog

• • For

  • Enterprise

  • Teams

  • Startups

  • Education

  • By Solution

  • CI/CD & Automation

  • DevOps

  • DevSecOps

  • Case Studies

  • Customer Stories

  • Resources

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

*   Repositories
*   Topics
*   Trending
*   Collections

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-22476

MantisBT may expose private issues’ summaries to unauthorized users

Moderate severity GitHub Reviewed Published Feb 23, 2023 in mantisbt/mantisbt • Updated Feb 23, 2023

Package

composer mantisbt/mantisbt (Composer)

Affected versions

<= 2.25.5

Description

Impact

Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary field of private Issues (i.e. having Private view status, or belonging to a private Project) via a crafted bug_arr[] parameter in bug_actiongroup_ext.php.

Patches

Patch is under development. The vulnerability will be fixed in MantisBT version 2.25.6.

Workarounds

None

Credits

Thanks to d3vpoo1 for reporting the issue.

References

• https://mantisbt.org/bugs/view.php?id=31086

References

• GHSA-hf4x-6h87-hm79
• https://mantisbt.org/bugs/view.php?id=31086

Published to the GitHub Advisory Database

Feb 23, 2023

Last updated

Feb 23, 2023