Search for packages
| purl | pkg:composer/mantisbt/mantisbt@2.21.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1n7b-6pyz-cka5
Aliases: CVE-2024-34077 GHSA-93x3-m7pw-ppqm |
Mantis Bug Tracker (MantisBT) allows user account takeover in the signup/reset password process Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending. The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password. A brute-force attack calling account_update.php with increasing user IDs is possible. |
Affected by 6 other vulnerabilities. |
|
VCID-1nq1-6hwz-7kcq
Aliases: CVE-2020-25830 GHSA-2pm7-q8pc-xhvq |
MantisBT HTML Injection vulnerability An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via `bug_actiongroup_page.php`. |
Affected by 24 other vulnerabilities. |
|
VCID-1v33-u5bm-pyem
Aliases: CVE-2019-15715 GHSA-v23g-wjvq-2fpf |
MantisBT Remote Code Execution MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution. |
Affected by 27 other vulnerabilities. |
|
VCID-5mtg-nbrw-jyhp
Aliases: CVE-2020-29604 GHSA-f38c-wxp6-8xjv |
MantisBT Missing Authorization access check in bug_actiongroup.php An issue was discovered in MantisBT before 2.24.4. A missing access check in bug_actiongroup.php allows an attacker (with rights to create new issues) to use the COPY group action to create a clone, including all bugnotes and attachments, of any private issue (i.e., one having Private view status, or belonging to a private Project) via the bug_arr[] parameter. This provides full access to potentially confidential information. |
Affected by 19 other vulnerabilities. |
|
VCID-843s-1vx7-nueb
Aliases: CVE-2026-30849 GHSA-phrq-pc6r-f6gh |
MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL Mantis Bug Tracker instances running on MySQL and compatible databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. ### Impact Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. ### Patches * b349e5c890eeda9bd82e7c7e14479853f8a30d9f ### Workarounds - [Disabling the SOAP API](https://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.config.api.disable) significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name. ### Resources - https://mantisbt.org/bugs/view.php?id=36902 ### Credits MantisBT thanks Alexander Philiotis of SynerComm for discovering and responsibly reporting the issue. |
Affected by 1 other vulnerability. |
|
VCID-8676-5hmd-s3hm
Aliases: CVE-2024-45792 GHSA-h5q3-fjp4-2x7r |
MantisBT vulnerable to information disclosure with user profiles Using a crafted POST request, an unprivileged, registered user is able to retrieve information about other users' personal system profiles. |
Affected by 5 other vulnerabilities. |
|
VCID-8cnw-f9a5-aygc
Aliases: CVE-2019-15539 GHSA-p495-jrpq-p66g |
MantisBT XSS when uploading an attachment The proj_doc_edit_page.php Project Documentation feature in MantisBT before 2.21.3 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed when editing the document's page. |
Affected by 28 other vulnerabilities. |
|
VCID-8hsn-cvrk-1uh5
Aliases: CVE-2020-35849 GHSA-7j8m-fm49-xgmg |
MantisBT Incorrect Authorization for bug_revision_view_page.php check An issue was discovered in MantisBT before 2.24.4. An incorrect access check in bug_revision_view_page.php allows an unprivileged attacker to view the Summary field of private issues, as well as bugnotes revisions, gaining access to potentially confidential information via the bugnote_id parameter. |
Affected by 19 other vulnerabilities. |
|
VCID-8wux-1k2d-sbam
Aliases: CVE-2025-55155 GHSA-q747-c74m-69pr |
MantisBT lacks verification when changing a user's email address When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. |
Affected by 1 other vulnerability. |
|
VCID-d3yt-mkwe-33hu
Aliases: CVE-2025-46556 GHSA-r3jf-hm7q-qfw5 |
MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added: |
Affected by 1 other vulnerability. |
|
VCID-ed8g-bc8k-dkgq
Aliases: CVE-2024-23830 GHSA-mcqj-7p29-9528 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user's email address and username can hijack the user's account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`. |
Affected by 9 other vulnerabilities. |
|
VCID-fwyx-hjd4-b7hh
Aliases: CVE-2020-29605 GHSA-pgg9-mmcg-8mxp |
MantisBT Incorrect Authorization in bug_actiongroup_page.php An issue was discovered in MantisBT before 2.24.4. Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary fields of private Issues via bug_arr[]= in a crafted bug_actiongroup_page.php URL. (The target Issues can have Private view status, or belong to a private Project.) |
Affected by 19 other vulnerabilities. |
|
VCID-hxaw-gp24-9kfv
Aliases: CVE-2022-28508 GHSA-wfg2-2wmw-6894 |
MantisBT vulnerable to XSS via unescaped output in browser_search_plugin.php An XSS issue was discovered in browser_search_plugin.php in MantisBT up to and including 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field. |
Affected by 13 other vulnerabilities. |
|
VCID-jpyg-rbg3-rybh
Aliases: CVE-2024-34080 GHSA-99jc-wqmr-ff2q |
MantisBT Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor If an issue references a note that belongs to another issue that the user doesn't have access to, then it gets hyperlinked. Clicking on the link gives an access denied error as expected, yet some information remains available via the link, link label, and tooltip. |
Affected by 6 other vulnerabilities. |
|
VCID-jqsn-z754-57ek
Aliases: CVE-2020-25781 GHSA-xjmx-cprh-646r |
MantisBT unauthorized users able to access private files An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly. |
Affected by 24 other vulnerabilities. |
|
VCID-jtj9-ccw1-8kd1
Aliases: CVE-2023-44394 GHSA-v642-mh27-8j6m |
MantisBT may disclose project names to unauthorized users Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs. |
Affected by 10 other vulnerabilities. |
|
VCID-kh1w-q4tc-6yhd
Aliases: CVE-2009-20001 GHSA-jm72-67rm-763j |
MantisBT Insufficient Session Expiration cookie string not reset after logout An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them. |
Affected by 18 other vulnerabilities. |
|
VCID-m956-44xf-2qfz
Aliases: CVE-2019-15074 GHSA-gg4j-279j-22ph |
MantisBT allows cross-site scripting (XSS) via crafted filename The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed. |
Affected by 29 other vulnerabilities. |
|
VCID-mubw-sf3f-n3fg
Aliases: CVE-2024-34081 GHSA-wgx7-jp56-65mq |
Mantis Bug Tracker (MantisBT) vulnerable to cross-site scripting Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when: - resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field - viewing issues (view_all_bug_page.php) when the custom field is displayed as a column - printing issues (print_all_bug_page.php) when the custom field is displayed as a column |
Affected by 6 other vulnerabilities. |
|
VCID-n3nu-aawj-s7af
Aliases: CVE-2025-47776 GHSA-4v8w-gg5j-ph37 |
MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation. [1]: https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782 |
Affected by 1 other vulnerability. |
|
VCID-qazy-c4se-fyfb
Aliases: CVE-2020-29603 GHSA-qpj5-f88q-x7px |
MantisBT Insecure Storage in manage_proj_edit_page.php In manage_proj_edit_page.php in MantisBT before 2.24.4, any unprivileged logged-in user can retrieve Private Projects' names via the manage_proj_edit_page.php project_id parameter, without having access to them. |
Affected by 19 other vulnerabilities. |
|
VCID-smvy-4xzy-4fbq
Aliases: CVE-2020-16266 GHSA-4rrc-5vp6-m3f6 |
MantisBT XSS issue on the view_all_bug_page.php An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it). |
Affected by 27 other vulnerabilities. |
|
VCID-stgp-f24d-qqdp
Aliases: CVE-2020-35571 GHSA-cvrm-cr3m-qj92 |
MantisBT XSS in manage_custom_field_update.php An issue was discovered in MantisBT through 2.24.3. In the helper_ensure_confirmed call in manage_custom_field_update.php, the custom field name is not sanitized. This may be problematic depending on CSP settings. |
Affected by 17 other vulnerabilities. |
|
VCID-uk44-j13d-43ce
Aliases: CVE-2022-33910 GHSA-qghg-v7xv-q98q |
MantisBT XSS through crafted SVG documents in file_download.php An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute. |
Affected by 12 other vulnerabilities. |
|
VCID-uyk7-6syy-m7c3
Aliases: CVE-2021-43257 GHSA-rg8f-5p7x-m6wv |
MantisBT CSV Injection unprivileged user access in csv_export.php Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel. |
Affected by 13 other vulnerabilities. |
|
VCID-uzm1-jgsr-ufeg
Aliases: CVE-2022-26144 GHSA-rqgj-rqfr-5j6f |
MantisBT vulnerable to XSS due to improper escape in manage_plugin_page.php and manage_plugin_uninstall.php An XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code (if CSP allows it) in manage_plugin_page.php and manage_plugin_uninstall.php when a crafted plugin is installed. |
Affected by 13 other vulnerabilities. |
|
VCID-w3u1-um27-1uay
Aliases: CVE-2020-28413 GHSA-49w9-82cj-xr48 |
MantisBT SQL Injection via mc_project_get_users function In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP. |
Affected by 19 other vulnerabilities. |
|
VCID-y7ms-qz8n-3ugn
Aliases: CVE-2021-33557 GHSA-52cx-vphc-jmjm |
MantisBT allows XSS in manage_custom_field_edit_page.php An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field. |
Affected by 16 other vulnerabilities. |
|
VCID-ybzq-wt16-3bc2
Aliases: CVE-2023-22476 GHSA-hf4x-6h87-hm79 |
MantisBT may expose private issues' summaries to unauthorized users Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions prior to 2.25.6, due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can access to the _Summary_ field of private Issues (i.e. having Private view status, or belonging to a private Project) via a crafted `bug_arr[]` parameter in *bug_actiongroup_ext.php*. This issue is fixed in version 2.25.6. There are no workarounds. |
Affected by 11 other vulnerabilities. |
|
VCID-yhf6-qthy-nqb2
Aliases: CVE-2025-62520 GHSA-g582-8vwr-68h2 |
MantisBT unauthorized disclosure of private project column configuration Due to insufficient access-level checks, any non-admin user having access to _manage_config_columns_page.php_ (typically project managers having MANAGER role) can use the _Copy From_ action to retrieve the columns configuration from a private project they have no access to. Access to the reverse operation (_Copy To_) is correctly controlled, i.e. it is not possible to alter the private project's configuration. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||