View Issue Details

IDProjectCategoryView StatusLast Update
0027101mantisbtsecuritypublic2020-08-15 10:44
ReporterNolan Assigned Toatrol  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionno change required 
PlatformallOSallOS Versionall
Product Version2.0.0-beta.1 
Summary0027101: mantisbt<=1.1.6 Arbitrary file reading vulnerability exists
Description

I found an arbitrary file reading vulnerability with mantisbt<=1.1.6. I want to show you how to exploit the vulnerability, and then you can apply for a CVE number for me. Is this okay?

Steps To Reproduce

*

Additional Information

If successful, this is my first CVE number. I hope you guys will help me. Thank you

TagsNo tags attached.

Relationships

has duplicate 0027120 closeddregad mantisbt<=1.1.6 Arbitrary file reading vulnerability exists 

Activities

dregad

dregad

2020-07-22 10:04

developer   ~0064174

Thanks for your report. Unfortunately, Mantis 1.1 and 1.2 are obsolete and no longer supported.

If the vulnerability you discovered can still be reproduced in current releases (1.3.20 or 2.24.0), we would gladly consider fixing it. In that case, please post details including detailed steps to reproduce.

atrol

atrol

2020-07-22 17:05

developer   ~0064178

Last edited: 2020-07-22 17:05

or 2.24.0

When trying, use latest 2.24.1 as there are attachment related security fixes in it, see 0026631 and related ones.

dregad

dregad

2020-08-01 10:07

developer   ~0064215

@Nolan, you have not responded to my previous note. If you can't confirm that the issue you reported can be reproduced in current release, I'll close this as "no change required".

Nolan

Nolan

2020-08-04 00:33

reporter   ~0064224

Solved it, thank you