Exposure of Private Project Names in MantisBT by Unprivileged Users
CVE-2020-29603

4.3MEDIUM

Key Information:

Vendor: Mantisbt
Status: Mantisbt
Vendor: CVE Published:; 29 January 2021

What is CVE-2020-29603?

In MantisBT prior to version 2.24.4, a security flaw exists in the manage_proj_edit_page.php script. This vulnerability allows any logged-in user without adequate privileges to retrieve the names of private projects by manipulating the project_id parameter. This exposure poses significant risks as it may lead to unauthorized access to sensitive project information, compromising user privacy and project security.

References

https://mantisbt.org/bugs/view.php?id=27726

x_refsource_MISC

https://mantisbt.org/bugs/view.php?id=27357

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 29, 2021
Vulnerability Reserved
Dec 7, 2020

Mantisbt

What is CVE-2020-29603?

References

CVSS V3.1

Timeline