Mantisbt: >> Mantisbt >> 1.2.8 Security Vulnerabilities
MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection.
CVSS Score
6.4
EPSS Score
0.036
Published
2012-06-29
The SOAP API in MantisBT before 1.2.9 does not properly enforce the bugnote_allow_user_edit_delete and delete_bug_threshold permissions, which allows remote authenticated users with read and write SOAP API privileges to delete arbitrary bug reports and bug notes.
CVSS Score
3.6
EPSS Score
0.009
Published
2012-06-29
The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request.
CVSS Score
7.5
EPSS Score
0.037
Published
2012-06-17
MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments.
CVSS Score
3.6
EPSS Score
0.007
Published
2012-06-17
Page 8