Impact

Knowing a user's email address and username, an unauthenticated attacker can hijack the user's account by poisoning the link in the password reset notification message.

Patches

mantisbt/mantisbt@7055731

Workarounds

Define $g_path as appropriate in config_inc.php.

References

https://mantisbt.org/bugs/view.php?id=19381

Credits

Thanks to the following security researchers for responsibly reporting and helping resolve this vulnerability.

• Pier-Luc Maltais (https://twitter.com/plmaltais)
• Hlib Yavorskyi (https://github.com/Kerkroups)
• Jingshao Chen (https://github.com/shaozi)
• Brandon Roldan
• nhchoudhary

References

• GHSA-mcqj-7p29-9528
• mantisbt/mantisbt@7055731
• https://nvd.nist.gov/vuln/detail/CVE-2024-23830
• https://mantisbt.org/bugs/view.php?id=19381