Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/61471?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/61471?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.24.5", "type": "composer", "namespace": "mantisbt", "name": "mantisbt", "version": "2.24.5", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.28.2", "latest_non_vulnerable_version": "2.28.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54783?format=api", "vulnerability_id": "VCID-1n7b-6pyz-cka5", "summary": "Mantis Bug Tracker (MantisBT) allows user account takeover in the signup/reset password process\nInsufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending.\n\nThe exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.\n\nA brute-force attack calling account_update.php with increasing user IDs is possible.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34077", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00225", "scoring_system": "epss", "scoring_elements": "0.45324", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34077" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/92d11a01b195a1b6717a2f205218089158ea6d00", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:51:24Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/92d11a01b195a1b6717a2f205218089158ea6d00" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=34433", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:51:24Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=34433" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34077", "reference_id": "CVE-2024-34077", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34077" }, { "reference_url": "https://github.com/advisories/GHSA-93x3-m7pw-ppqm", "reference_id": "GHSA-93x3-m7pw-ppqm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-93x3-m7pw-ppqm" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm", "reference_id": "GHSA-93x3-m7pw-ppqm", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:51:24Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81243?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.26.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.26.2" } ], "aliases": [ "CVE-2024-34077", "GHSA-93x3-m7pw-ppqm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1n7b-6pyz-cka5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91349?format=api", "vulnerability_id": "VCID-843s-1vx7-nueb", "summary": "MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL\nMantis Bug Tracker instances running on MySQL and compatible databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of improper type checking on the password parameter.\n\nOther database backends are not affected, as they do not perform implicit type conversion from string to integer.\n\n### Impact\nUsing a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to.\n\n### Patches\n* b349e5c890eeda9bd82e7c7e14479853f8a30d9f\n\n### Workarounds\n- [Disabling the SOAP API](https://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.config.api.disable) significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.\n\n### Resources\n- https://mantisbt.org/bugs/view.php?id=36902\n\n### Credits\nMantisBT thanks Alexander Philiotis of SynerComm for discovering and responsibly reporting the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30849", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.33855", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30849" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:29:55Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:29:55Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30849", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30849" }, { "reference_url": "https://github.com/advisories/GHSA-phrq-pc6r-f6gh", "reference_id": "GHSA-phrq-pc6r-f6gh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-phrq-pc6r-f6gh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113501?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.28.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-tndh-byw2-xbh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.1" } ], "aliases": [ "CVE-2026-30849", "GHSA-phrq-pc6r-f6gh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-843s-1vx7-nueb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55908?format=api", "vulnerability_id": "VCID-8676-5hmd-s3hm", "summary": "MantisBT vulnerable to information disclosure with user profiles\nUsing a crafted POST request, an unprivileged, registered user is able to retrieve information about other users' personal system profiles.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45792", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00663", "scoring_system": "epss", "scoring_elements": "0.71606", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45792" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/56bbd02dc1fb33a8de5898fd17dc3d698c847f55", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/commit/56bbd02dc1fb33a8de5898fd17dc3d698c847f55" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/ef0f820284032350cc20a39ff9cb2010d5463b41", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T15:31:35Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/ef0f820284032350cc20a39ff9cb2010d5463b41" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=34640", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T15:31:35Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=34640" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45792", "reference_id": "CVE-2024-45792", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45792" }, { "reference_url": "https://github.com/advisories/GHSA-h5q3-fjp4-2x7r", "reference_id": "GHSA-h5q3-fjp4-2x7r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h5q3-fjp4-2x7r" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h5q3-fjp4-2x7r", "reference_id": "GHSA-h5q3-fjp4-2x7r", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T15:31:35Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h5q3-fjp4-2x7r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82810?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.26.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.26.4" } ], "aliases": [ "CVE-2024-45792", "GHSA-h5q3-fjp4-2x7r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8676-5hmd-s3hm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48327?format=api", "vulnerability_id": "VCID-8wux-1k2d-sbam", "summary": "MantisBT lacks verification when changing a user's email address\nWhen a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55155", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07861", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55155" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4f22e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:03:02Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4f22e" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=36005", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:03:02Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=36005" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55155", "reference_id": "CVE-2025-55155", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55155" }, { "reference_url": "https://github.com/advisories/GHSA-q747-c74m-69pr", "reference_id": "GHSA-q747-c74m-69pr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q747-c74m-69pr" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr", "reference_id": "GHSA-q747-c74m-69pr", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:03:02Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71320?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.27.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.27.2" } ], "aliases": [ "CVE-2025-55155", "GHSA-q747-c74m-69pr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8wux-1k2d-sbam" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48324?format=api", "vulnerability_id": "VCID-d3yt-mkwe-33hu", "summary": "MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length\nA lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46556", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20074", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46556" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T20:44:31Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T20:44:31Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T20:44:31Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46556", "reference_id": "CVE-2025-46556", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46556" }, { "reference_url": "https://github.com/advisories/GHSA-r3jf-hm7q-qfw5", "reference_id": "GHSA-r3jf-hm7q-qfw5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r3jf-hm7q-qfw5" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5", "reference_id": "GHSA-r3jf-hm7q-qfw5", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T20:44:31Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71320?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.27.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.27.2" } ], "aliases": [ "CVE-2025-46556", "GHSA-r3jf-hm7q-qfw5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d3yt-mkwe-33hu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47044?format=api", "vulnerability_id": "VCID-ed8g-bc8k-dkgq", "summary": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\nMantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user's email address and username can hijack the user's account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23830", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01732", "scoring_system": "epss", "scoring_elements": "0.82832", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23830" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-21T16:05:28Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=19381", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-21T16:05:28Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=19381" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23830", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23830" }, { "reference_url": "https://github.com/advisories/GHSA-mcqj-7p29-9528", "reference_id": "GHSA-mcqj-7p29-9528", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mcqj-7p29-9528" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528", "reference_id": "GHSA-mcqj-7p29-9528", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-21T16:05:28Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69016?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.26.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n7b-6pyz-cka5" }, { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-jpyg-rbg3-rybh" }, { "vulnerability": "VCID-mubw-sf3f-n3fg" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.26.1" } ], "aliases": [ "CVE-2024-23830", "GHSA-mcqj-7p29-9528" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ed8g-bc8k-dkgq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43277?format=api", "vulnerability_id": "VCID-hxaw-gp24-9kfv", "summary": "MantisBT vulnerable to XSS via unescaped output in browser_search_plugin.php\nAn XSS issue was discovered in browser_search_plugin.php in MantisBT up to and including 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-28508", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.07116", "scoring_system": "epss", "scoring_elements": "0.91687", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.22039", "scoring_system": "epss", "scoring_elements": "0.95892", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-28508" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/YavuzSahbaz/CVE-2022-28508/blob/main/MantisBT%202.25.2%20XSS%20vulnurability", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/YavuzSahbaz/CVE-2022-28508/blob/main/MantisBT%202.25.2%20XSS%20vulnurability" }, { "reference_url": "https://mantisbt.org", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org" }, { "reference_url": "https://sourceforge.net/projects/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sourceforge.net/projects/mantisbt" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28508", "reference_id": "CVE-2022-28508", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28508" }, { "reference_url": "https://github.com/advisories/GHSA-wfg2-2wmw-6894", "reference_id": "GHSA-wfg2-2wmw-6894", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wfg2-2wmw-6894" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61382?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.25.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n7b-6pyz-cka5" }, { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-ed8g-bc8k-dkgq" }, { "vulnerability": "VCID-jpyg-rbg3-rybh" }, { "vulnerability": "VCID-jtj9-ccw1-8kd1" }, { "vulnerability": "VCID-mubw-sf3f-n3fg" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-uk44-j13d-43ce" }, { "vulnerability": "VCID-ybzq-wt16-3bc2" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.3" } ], "aliases": [ "CVE-2022-28508", "GHSA-wfg2-2wmw-6894" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hxaw-gp24-9kfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54776?format=api", "vulnerability_id": "VCID-jpyg-rbg3-rybh", "summary": "MantisBT Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor\nIf an issue references a note that belongs to another issue that the user doesn't have access to, then it gets hyperlinked. Clicking on the link gives an access denied error as expected, yet some information remains available via the link, link label, and tooltip.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34080", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52533", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34080" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/0a50562369d823689c9b946066d1e49d3c2df226", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T18:31:57Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/0a50562369d823689c9b946066d1e49d3c2df226" }, { "reference_url": "https://github.com/mantisbt/mantisbt/pull/2000", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T18:31:57Z/" } ], "url": "https://github.com/mantisbt/mantisbt/pull/2000" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=34434", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T18:31:57Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=34434" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34080", "reference_id": "CVE-2024-34080", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34080" }, { "reference_url": "https://github.com/advisories/GHSA-99jc-wqmr-ff2q", "reference_id": "GHSA-99jc-wqmr-ff2q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-99jc-wqmr-ff2q" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q", "reference_id": "GHSA-99jc-wqmr-ff2q", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T18:31:57Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81243?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.26.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.26.2" } ], "aliases": [ "CVE-2024-34080", "GHSA-99jc-wqmr-ff2q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jpyg-rbg3-rybh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46222?format=api", "vulnerability_id": "VCID-jtj9-ccw1-8kd1", "summary": "MantisBT may disclose project names to unauthorized users\nDue to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-44394", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00491", "scoring_system": "epss", "scoring_elements": "0.65991", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-44394" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/65c44883f9d24f3ccef066fb523c93d8fdd7afc1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-13T18:58:41Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/65c44883f9d24f3ccef066fb523c93d8fdd7afc1" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=32981", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-13T18:58:41Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=32981" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44394", "reference_id": "CVE-2023-44394", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44394" }, { "reference_url": "https://github.com/advisories/GHSA-v642-mh27-8j6m", "reference_id": "GHSA-v642-mh27-8j6m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v642-mh27-8j6m" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-v642-mh27-8j6m", "reference_id": "GHSA-v642-mh27-8j6m", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-13T18:58:41Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-v642-mh27-8j6m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67377?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.25.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n7b-6pyz-cka5" }, { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-ed8g-bc8k-dkgq" }, { "vulnerability": "VCID-jpyg-rbg3-rybh" }, { "vulnerability": "VCID-mubw-sf3f-n3fg" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.8" } ], "aliases": [ "CVE-2023-44394", "GHSA-v642-mh27-8j6m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jtj9-ccw1-8kd1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54779?format=api", "vulnerability_id": "VCID-mubw-sf3f-n3fg", "summary": "Mantis Bug Tracker (MantisBT) vulnerable to cross-site scripting\nImproper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when:\n- resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field\n- viewing issues (view_all_bug_page.php) when the custom field is displayed as a column\n- printing issues (print_all_bug_page.php) when the custom field is displayed as a column", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34081", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53692", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34081" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T19:02:37Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=34432", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T19:02:37Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=34432" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34081", "reference_id": "CVE-2024-34081", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34081" }, { "reference_url": "https://github.com/advisories/GHSA-wgx7-jp56-65mq", "reference_id": "GHSA-wgx7-jp56-65mq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wgx7-jp56-65mq" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-wgx7-jp56-65mq", "reference_id": "GHSA-wgx7-jp56-65mq", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T19:02:37Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-wgx7-jp56-65mq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81243?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.26.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.26.2" } ], "aliases": [ "CVE-2024-34081", "GHSA-wgx7-jp56-65mq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mubw-sf3f-n3fg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48325?format=api", "vulnerability_id": "VCID-n3nu-aawj-s7af", "summary": "MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling\nDue to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.\n\n[1]: https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47776", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.2698", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47776" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-04T20:41:52Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=35967", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/bugs/view.php?id=35967" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47776", "reference_id": "CVE-2025-47776", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47776" }, { "reference_url": "https://github.com/advisories/GHSA-4v8w-gg5j-ph37", "reference_id": "GHSA-4v8w-gg5j-ph37", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4v8w-gg5j-ph37" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37", "reference_id": "GHSA-4v8w-gg5j-ph37", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-04T20:41:52Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71320?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.27.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.27.2" } ], "aliases": [ "CVE-2025-47776", "GHSA-4v8w-gg5j-ph37" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n3nu-aawj-s7af" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110953?format=api", "vulnerability_id": "VCID-stgp-f24d-qqdp", "summary": "MantisBT XSS in manage_custom_field_update.php\nAn issue was discovered in MantisBT through 2.24.3. In the helper_ensure_confirmed call in manage_custom_field_update.php, the custom field name is not sanitized. This may be problematic depending on CSP settings.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-35571", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.52244", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.52304", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-35571" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/100c3d58c3f6f12b7a6cf97fba473ede521f20db", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/commit/100c3d58c3f6f12b7a6cf97fba473ede521f20db" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=27768", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/bugs/view.php?id=27768" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35571", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35571" }, { "reference_url": "https://github.com/advisories/GHSA-cvrm-cr3m-qj92", "reference_id": "GHSA-cvrm-cr3m-qj92", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cvrm-cr3m-qj92" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/150413?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.25.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n7b-6pyz-cka5" }, { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-ed8g-bc8k-dkgq" }, { "vulnerability": "VCID-hxaw-gp24-9kfv" }, { "vulnerability": "VCID-jpyg-rbg3-rybh" }, { "vulnerability": "VCID-jtj9-ccw1-8kd1" }, { "vulnerability": "VCID-mubw-sf3f-n3fg" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-uk44-j13d-43ce" }, { "vulnerability": "VCID-uyk7-6syy-m7c3" }, { "vulnerability": "VCID-uzm1-jgsr-ufeg" }, { "vulnerability": "VCID-y7ms-qz8n-3ugn" }, { "vulnerability": "VCID-ybzq-wt16-3bc2" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.0" } ], "aliases": [ "CVE-2020-35571", "GHSA-cvrm-cr3m-qj92" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-stgp-f24d-qqdp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110568?format=api", "vulnerability_id": "VCID-uk44-j13d-43ce", "summary": "MantisBT XSS through crafted SVG documents in file_download.php\nAn XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-33910", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48673", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48734", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-33910" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/266762193fc6c09ffc6b14f5a34c86eae3ebee20", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/commit/266762193fc6c09ffc6b14f5a34c86eae3ebee20" }, { "reference_url": "https://mantisbt.org/blog/archives/mantisbt/719", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/blog/archives/mantisbt/719" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=29135", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/bugs/view.php?id=29135" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=30384", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/bugs/view.php?id=30384" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33910", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33910" }, { "reference_url": "https://github.com/advisories/GHSA-qghg-v7xv-q98q", "reference_id": "GHSA-qghg-v7xv-q98q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qghg-v7xv-q98q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64053?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.25.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n7b-6pyz-cka5" }, { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-ed8g-bc8k-dkgq" }, { "vulnerability": "VCID-jpyg-rbg3-rybh" }, { "vulnerability": "VCID-jtj9-ccw1-8kd1" }, { "vulnerability": "VCID-mubw-sf3f-n3fg" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-ybzq-wt16-3bc2" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.5" } ], "aliases": [ "CVE-2022-33910", "GHSA-qghg-v7xv-q98q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uk44-j13d-43ce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42922?format=api", "vulnerability_id": "VCID-uyk7-6syy-m7c3", "summary": "MantisBT CSV Injection unprivileged user access in csv_export.php\nLack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43257", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00724", "scoring_system": "epss", "scoring_elements": "0.72964", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00724", "scoring_system": "epss", "scoring_elements": "0.72927", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43257" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/99eb8d41cbacc703f88807898dcc9ac55eec0f15", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/commit/99eb8d41cbacc703f88807898dcc9ac55eec0f15" }, { "reference_url": "https://www.mantisbt.org/bugs/view.php?id=29130", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mantisbt.org/bugs/view.php?id=29130" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43257", "reference_id": "CVE-2021-43257", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43257" }, { "reference_url": "https://github.com/advisories/GHSA-rg8f-5p7x-m6wv", "reference_id": "GHSA-rg8f-5p7x-m6wv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rg8f-5p7x-m6wv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61382?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.25.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n7b-6pyz-cka5" }, { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-ed8g-bc8k-dkgq" }, { "vulnerability": "VCID-jpyg-rbg3-rybh" }, { "vulnerability": "VCID-jtj9-ccw1-8kd1" }, { "vulnerability": "VCID-mubw-sf3f-n3fg" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-uk44-j13d-43ce" }, { "vulnerability": "VCID-ybzq-wt16-3bc2" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.3" } ], "aliases": [ "CVE-2021-43257", "GHSA-rg8f-5p7x-m6wv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uyk7-6syy-m7c3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42919?format=api", "vulnerability_id": "VCID-uzm1-jgsr-ufeg", "summary": "MantisBT vulnerable to XSS due to improper escape in manage_plugin_page.php and manage_plugin_uninstall.php\nAn XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code (if CSP allows it) in manage_plugin_page.php and manage_plugin_uninstall.php when a crafted plugin is installed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-26144", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00522", "scoring_system": "epss", "scoring_elements": "0.67249", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00522", "scoring_system": "epss", "scoring_elements": "0.6729", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-26144" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/a7751c3e318011ca1314bc1cfea200d53e0dfff6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/commit/a7751c3e318011ca1314bc1cfea200d53e0dfff6" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=29688", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/bugs/view.php?id=29688" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26144", "reference_id": "CVE-2022-26144", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26144" }, { "reference_url": "https://github.com/advisories/GHSA-rqgj-rqfr-5j6f", "reference_id": "GHSA-rqgj-rqfr-5j6f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rqgj-rqfr-5j6f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61382?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.25.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n7b-6pyz-cka5" }, { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-ed8g-bc8k-dkgq" }, { "vulnerability": "VCID-jpyg-rbg3-rybh" }, { "vulnerability": "VCID-jtj9-ccw1-8kd1" }, { "vulnerability": "VCID-mubw-sf3f-n3fg" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-uk44-j13d-43ce" }, { "vulnerability": "VCID-ybzq-wt16-3bc2" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.3" } ], "aliases": [ "CVE-2022-26144", "GHSA-rqgj-rqfr-5j6f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uzm1-jgsr-ufeg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111224?format=api", "vulnerability_id": "VCID-y7ms-qz8n-3ugn", "summary": "MantisBT allows XSS in manage_custom_field_edit_page.php\nAn XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-33557", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0093", "scoring_system": "epss", "scoring_elements": "0.76475", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0093", "scoring_system": "epss", "scoring_elements": "0.76504", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-33557" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/03dd37221e636f8959b8cb9fbad84f38f9582356", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/commit/03dd37221e636f8959b8cb9fbad84f38f9582356" }, { "reference_url": "https://mantisbt.org/blog/archives/mantisbt/699", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/blog/archives/mantisbt/699" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=28552", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/bugs/view.php?id=28552" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33557", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33557" }, { "reference_url": "https://github.com/advisories/GHSA-52cx-vphc-jmjm", "reference_id": "GHSA-52cx-vphc-jmjm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-52cx-vphc-jmjm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61979?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.25.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n7b-6pyz-cka5" }, { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-ed8g-bc8k-dkgq" }, { "vulnerability": "VCID-hxaw-gp24-9kfv" }, { "vulnerability": "VCID-jpyg-rbg3-rybh" }, { "vulnerability": "VCID-jtj9-ccw1-8kd1" }, { "vulnerability": "VCID-mubw-sf3f-n3fg" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-uk44-j13d-43ce" }, { "vulnerability": "VCID-uyk7-6syy-m7c3" }, { "vulnerability": "VCID-uzm1-jgsr-ufeg" }, { "vulnerability": "VCID-ybzq-wt16-3bc2" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.2" } ], "aliases": [ "CVE-2021-33557", "GHSA-52cx-vphc-jmjm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y7ms-qz8n-3ugn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44522?format=api", "vulnerability_id": "VCID-ybzq-wt16-3bc2", "summary": "MantisBT may expose private issues' summaries to unauthorized users\nMantis Bug Tracker (MantisBT) is an open source issue tracker. In versions prior to 2.25.6, due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can access to the _Summary_ field of private Issues (i.e. having Private view status, or belonging to a private Project) via a crafted `bug_arr[]` parameter in *bug_actiongroup_ext.php*. This issue is fixed in version 2.25.6. There are no workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22476", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42019", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42093", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22476" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=31086", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/bugs/view.php?id=31086" }, { "reference_url": "https://github.com/advisories/GHSA-hf4x-6h87-hm79", "reference_id": "GHSA-hf4x-6h87-hm79", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hf4x-6h87-hm79" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79", "reference_id": "GHSA-hf4x-6h87-hm79", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:00:04Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79" }, { "reference_url": "https://www.mantisbt.org/bugs/view.php?id=31086", "reference_id": "view.php?id=31086", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:00:04Z/" } ], "url": "https://www.mantisbt.org/bugs/view.php?id=31086" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64054?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.25.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n7b-6pyz-cka5" }, { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-ed8g-bc8k-dkgq" }, { "vulnerability": "VCID-jpyg-rbg3-rybh" }, { "vulnerability": "VCID-jtj9-ccw1-8kd1" }, { "vulnerability": "VCID-mubw-sf3f-n3fg" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.6" } ], "aliases": [ "CVE-2023-22476", "GHSA-hf4x-6h87-hm79" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ybzq-wt16-3bc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48326?format=api", "vulnerability_id": "VCID-yhf6-qthy-nqb2", "summary": "MantisBT unauthorized disclosure of private project column configuration\nDue to insufficient access-level checks, any non-admin user having access to _manage_config_columns_page.php_ (typically project managers having MANAGER role) can use the _Copy From_ action to retrieve the columns configuration from a private project they have no access to.\n\nAccess to the reverse operation (_Copy To_) is correctly controlled, i.e. it is not possible to alter the private project's configuration.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62520", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14158", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62520" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/4fe94f45fa2baea2aeb4b65781d2009e7b4a0bf3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:44:26Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/4fe94f45fa2baea2aeb4b65781d2009e7b4a0bf3" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=36502", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:44:26Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=36502" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62520", "reference_id": "CVE-2025-62520", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62520" }, { "reference_url": "https://github.com/advisories/GHSA-g582-8vwr-68h2", "reference_id": "GHSA-g582-8vwr-68h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g582-8vwr-68h2" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-g582-8vwr-68h2", "reference_id": "GHSA-g582-8vwr-68h2", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:44:26Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-g582-8vwr-68h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71320?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.27.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.27.2" } ], "aliases": [ "CVE-2025-62520", "GHSA-g582-8vwr-68h2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yhf6-qthy-nqb2" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42958?format=api", "vulnerability_id": "VCID-kh1w-q4tc-6yhd", "summary": "MantisBT Insufficient Session Expiration cookie string not reset after logout\nAn issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2009-20001", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34153", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34053", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2009-20001" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/79a78c09d5ef5ce098adc73f6f1416f00fc238a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/commit/79a78c09d5ef5ce098adc73f6f1416f00fc238a5" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=11296", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/bugs/view.php?id=11296" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=27976", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/bugs/view.php?id=27976" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2009-20001", "reference_id": "CVE-2009-20001", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-20001" }, { "reference_url": "https://github.com/advisories/GHSA-jm72-67rm-763j", "reference_id": "GHSA-jm72-67rm-763j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jm72-67rm-763j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61471?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.24.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n7b-6pyz-cka5" }, { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8676-5hmd-s3hm" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-ed8g-bc8k-dkgq" }, { "vulnerability": "VCID-hxaw-gp24-9kfv" }, { "vulnerability": "VCID-jpyg-rbg3-rybh" }, { "vulnerability": "VCID-jtj9-ccw1-8kd1" }, { "vulnerability": "VCID-mubw-sf3f-n3fg" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-stgp-f24d-qqdp" }, { "vulnerability": "VCID-uk44-j13d-43ce" }, { "vulnerability": "VCID-uyk7-6syy-m7c3" }, { "vulnerability": "VCID-uzm1-jgsr-ufeg" }, { "vulnerability": "VCID-y7ms-qz8n-3ugn" }, { "vulnerability": "VCID-ybzq-wt16-3bc2" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.24.5" } ], "aliases": [ "CVE-2009-20001", "GHSA-jm72-67rm-763j" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kh1w-q4tc-6yhd" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.24.5" }