Impact
Knowing a user's email address and username, an unauthenticated attacker can hijack the user's account by poisoning the link in the password reset notification message.
Patches
7055731
Workarounds
Define $g_path as appropriate in config_inc.php.
References
https://mantisbt.org/bugs/view.php?id=19381
Credits
Thanks to the following security researchers for responsibly reporting and helping resolve this vulnerability.
Impact
Knowing a user's email address and username, an unauthenticated attacker can hijack the user's account by poisoning the link in the password reset notification message.
Patches
7055731
Workarounds
Define
$g_pathas appropriate in config_inc.php.References
https://mantisbt.org/bugs/view.php?id=19381
Credits
Thanks to the following security researchers for responsibly reporting and helping resolve this vulnerability.