MantisBT may disclose project names to unauthorized users

Impact

Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs.

Patches

Patch under development. The vulnerability will be fixed in MantisBT version 2.25.8.

Workarounds

Disable wiki integration ( $g_wiki_enable = OFF;)

References

https://mantisbt.org/bugs/view.php?id=32981

References

dregad published to mantisbt/mantisbt Oct 14, 2023

Published by the National Vulnerability Database Oct 16, 2023

Published to the GitHub Advisory Database Oct 17, 2023

Reviewed Oct 17, 2023

Last updated Nov 10, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code