MantisBT

Email Archive: mantisbt-dev (read-only)

2001:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov (2)	_Dec (11)
2002:	_Jan (18)	_Feb (17)	_Mar (11)	_Apr (12)	_May (21)	_Jun (76)	_Jul (8)	_Aug (156)	_Sep (117)	_Oct (67)	_Nov (122)	_Dec (134)
2003:	_Jan (170)	_Feb (214)	_Mar (121)	_Apr (36)	_May (25)	_Jun (10)	_Jul (13)	_Aug (69)	_Sep (3)	_Oct (17)	_Nov (2)	_Dec (40)
2004:	_Jan (34)	_Feb (50)	_Mar (69)	_Apr (10)	_May (76)	_Jun (126)	_Jul (180)	_Aug (32)	_Sep (43)	_Oct (31)	_Nov (25)	_Dec (21)
2005:	_Jan (23)	_Feb (75)	_Mar (32)	_Apr (34)	_May (23)	_Jun (34)	_Jul (25)	_Aug (21)	_Sep (31)	_Oct (34)	_Nov (6)	_Dec (16)
2006:	_Jan (9)	_Feb (19)	_Mar (45)	_Apr (64)	_May (33)	_Jun (29)	_Jul (11)	_Aug (24)	_Sep (55)	_Oct (24)	_Nov (38)	_Dec (40)
2007:	_Jan (47)	_Feb (28)	_Mar (89)	_Apr (35)	_May (58)	_Jun (30)	_Jul (103)	_Aug (80)	_Sep (57)	_Oct (108)	_Nov (45)	_Dec (38)
2008:	_Jan (39)	_Feb (45)	_Mar (29)	_Apr (46)	_May (39)	_Jun (20)	_Jul (19)	_Aug (38)	_Sep (40)	_Oct (49)	_Nov (64)	_Dec (31)
2009:	_Jan (20)	_Feb (31)	_Mar (28)	_Apr (46)	_May (45)	_Jun (45)	_Jul (32)	_Aug (11)	_Sep (34)	_Oct (33)	_Nov (40)	_Dec (17)
2010:	_Jan (28)	_Feb (55)	_Mar (23)	_Apr (78)	_May (33)	_Jun (11)	_Jul (10)	_Aug (12)	_Sep (70)	_Oct (89)	_Nov (55)	_Dec (33)
2011:	_Jan (33)	_Feb (66)	_Mar (33)	_Apr (40)	_May (20)	_Jun (29)	_Jul (199)	_Aug (42)	_Sep (76)	_Oct (10)	_Nov (29)	_Dec (38)
2012:	_Jan (30)	_Feb (52)	_Mar (56)	_Apr (25)	_May (17)	_Jun (93)	_Jul (15)	_Aug (19)	_Sep (23)	_Oct (78)	_Nov (59)	_Dec (2)
2013:	_Jan (62)	_Feb (18)	_Mar (12)	_Apr (119)	_May (47)	_Jun (24)	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

[mantisbt-dev] CVE requests (x2) for Mantis Bug Tracker (MantisBT) before 1.2.11

From: David Hicks <d@hx...> - 2012-06-09 08:19

Attachments: signature.asc

CVE REQUEST #1

Title: Reporters can edit arbitrary bugnotes via SOAP API
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11

Description:
Roland Becker and Damien Regad (MantisBT developers) found that any user
able to report issues via the SOAP interface could also modify any
bugnotes (comments) created by other users. In a default/typical
MantisBT installation, SOAP API is enabled and any user can sign up to
report new issues. This vulnerability therefore impacts upon many public
facing MantisBT installations.

References:
[1] http://www.mantisbt.org/bugs/view.php?id=14340



CVE REQUEST #2

Title: delete_attachments_threshold not checked on attachment deletion
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11

Description:
Roland Becker (MantisBT developer) found that the
delete_attachments_threshold permission was not being checked when a
user attempted to delete an attachment from an issue. The more generic
update_bug_threshold permission was being checked instead. MantisBT
administrators may have been under the false impression that their
configuration of the delete_attachments_threshold was successfully
preventing unwanted users from deleting attachments.

References:
[1] http://www.mantisbt.org/bugs/view.php?id=14016



With thanks,
David Hicks
MantisBT Developer
#mantisbt irc.freenode.net
http://www.mantisbt.org/bugs/