Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/82810?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/82810?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.26.4", "type": "composer", "namespace": "mantisbt", "name": "mantisbt", "version": "2.26.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.28.2", "latest_non_vulnerable_version": "2.28.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91349?format=api", "vulnerability_id": "VCID-843s-1vx7-nueb", "summary": "MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL\nMantis Bug Tracker instances running on MySQL and compatible databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of improper type checking on the password parameter.\n\nOther database backends are not affected, as they do not perform implicit type conversion from string to integer.\n\n### Impact\nUsing a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to.\n\n### Patches\n* b349e5c890eeda9bd82e7c7e14479853f8a30d9f\n\n### Workarounds\n- [Disabling the SOAP API](https://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.config.api.disable) significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.\n\n### Resources\n- https://mantisbt.org/bugs/view.php?id=36902\n\n### Credits\nMantisBT thanks Alexander Philiotis of SynerComm for discovering and responsibly reporting the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30849", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.33855", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30849" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:29:55Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:29:55Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30849", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30849" }, { "reference_url": "https://github.com/advisories/GHSA-phrq-pc6r-f6gh", "reference_id": "GHSA-phrq-pc6r-f6gh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-phrq-pc6r-f6gh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113501?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.28.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-tndh-byw2-xbh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.1" } ], "aliases": [ "CVE-2026-30849", "GHSA-phrq-pc6r-f6gh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-843s-1vx7-nueb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48327?format=api", "vulnerability_id": "VCID-8wux-1k2d-sbam", "summary": "MantisBT lacks verification when changing a user's email address\nWhen a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55155", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07861", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55155" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4f22e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:03:02Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4f22e" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=36005", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:03:02Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=36005" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55155", "reference_id": "CVE-2025-55155", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55155" }, { "reference_url": "https://github.com/advisories/GHSA-q747-c74m-69pr", "reference_id": "GHSA-q747-c74m-69pr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q747-c74m-69pr" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr", "reference_id": "GHSA-q747-c74m-69pr", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:03:02Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71320?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.27.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.27.2" } ], "aliases": [ "CVE-2025-55155", "GHSA-q747-c74m-69pr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8wux-1k2d-sbam" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48324?format=api", "vulnerability_id": "VCID-d3yt-mkwe-33hu", "summary": "MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length\nA lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46556", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20074", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46556" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T20:44:31Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T20:44:31Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T20:44:31Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46556", "reference_id": "CVE-2025-46556", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46556" }, { "reference_url": "https://github.com/advisories/GHSA-r3jf-hm7q-qfw5", "reference_id": "GHSA-r3jf-hm7q-qfw5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r3jf-hm7q-qfw5" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5", "reference_id": "GHSA-r3jf-hm7q-qfw5", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T20:44:31Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71320?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.27.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.27.2" } ], "aliases": [ "CVE-2025-46556", "GHSA-r3jf-hm7q-qfw5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d3yt-mkwe-33hu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48325?format=api", "vulnerability_id": "VCID-n3nu-aawj-s7af", "summary": "MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling\nDue to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.\n\n[1]: https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47776", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.2698", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47776" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-04T20:41:52Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=35967", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mantisbt.org/bugs/view.php?id=35967" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47776", "reference_id": "CVE-2025-47776", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47776" }, { "reference_url": "https://github.com/advisories/GHSA-4v8w-gg5j-ph37", "reference_id": "GHSA-4v8w-gg5j-ph37", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4v8w-gg5j-ph37" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37", "reference_id": "GHSA-4v8w-gg5j-ph37", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-04T20:41:52Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71320?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.27.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.27.2" } ], "aliases": [ "CVE-2025-47776", "GHSA-4v8w-gg5j-ph37" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n3nu-aawj-s7af" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48326?format=api", "vulnerability_id": "VCID-yhf6-qthy-nqb2", "summary": "MantisBT unauthorized disclosure of private project column configuration\nDue to insufficient access-level checks, any non-admin user having access to _manage_config_columns_page.php_ (typically project managers having MANAGER role) can use the _Copy From_ action to retrieve the columns configuration from a private project they have no access to.\n\nAccess to the reverse operation (_Copy To_) is correctly controlled, i.e. it is not possible to alter the private project's configuration.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62520", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14158", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62520" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/4fe94f45fa2baea2aeb4b65781d2009e7b4a0bf3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:44:26Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/4fe94f45fa2baea2aeb4b65781d2009e7b4a0bf3" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=36502", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:44:26Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=36502" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62520", "reference_id": "CVE-2025-62520", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62520" }, { "reference_url": "https://github.com/advisories/GHSA-g582-8vwr-68h2", "reference_id": "GHSA-g582-8vwr-68h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g582-8vwr-68h2" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-g582-8vwr-68h2", "reference_id": "GHSA-g582-8vwr-68h2", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-04T21:44:26Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-g582-8vwr-68h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71320?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.27.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.27.2" } ], "aliases": [ "CVE-2025-62520", "GHSA-g582-8vwr-68h2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yhf6-qthy-nqb2" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55908?format=api", "vulnerability_id": "VCID-8676-5hmd-s3hm", "summary": "MantisBT vulnerable to information disclosure with user profiles\nUsing a crafted POST request, an unprivileged, registered user is able to retrieve information about other users' personal system profiles.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45792", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00663", "scoring_system": "epss", "scoring_elements": "0.71606", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45792" }, { "reference_url": "https://github.com/mantisbt/mantisbt", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/56bbd02dc1fb33a8de5898fd17dc3d698c847f55", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mantisbt/mantisbt/commit/56bbd02dc1fb33a8de5898fd17dc3d698c847f55" }, { "reference_url": "https://github.com/mantisbt/mantisbt/commit/ef0f820284032350cc20a39ff9cb2010d5463b41", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T15:31:35Z/" } ], "url": "https://github.com/mantisbt/mantisbt/commit/ef0f820284032350cc20a39ff9cb2010d5463b41" }, { "reference_url": "https://mantisbt.org/bugs/view.php?id=34640", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T15:31:35Z/" } ], "url": "https://mantisbt.org/bugs/view.php?id=34640" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45792", "reference_id": "CVE-2024-45792", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45792" }, { "reference_url": "https://github.com/advisories/GHSA-h5q3-fjp4-2x7r", "reference_id": "GHSA-h5q3-fjp4-2x7r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h5q3-fjp4-2x7r" }, { "reference_url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h5q3-fjp4-2x7r", "reference_id": "GHSA-h5q3-fjp4-2x7r", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T15:31:35Z/" } ], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h5q3-fjp4-2x7r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82810?format=api", "purl": "pkg:composer/mantisbt/mantisbt@2.26.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-843s-1vx7-nueb" }, { "vulnerability": "VCID-8wux-1k2d-sbam" }, { "vulnerability": "VCID-d3yt-mkwe-33hu" }, { "vulnerability": "VCID-n3nu-aawj-s7af" }, { "vulnerability": "VCID-yhf6-qthy-nqb2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.26.4" } ], "aliases": [ "CVE-2024-45792", "GHSA-h5q3-fjp4-2x7r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8676-5hmd-s3hm" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.26.4" }