Access Control Vulnerability in MantisBT Affecting Multiple Project Types

CVE-2020-29605

What is CVE-2020-29605?

An access control vulnerability was identified in MantisBT prior to version 2.24.4. This flaw allows logged-in users with permission to perform Group Actions to inadvertently access Summary fields of private issues, including those marked as Private or belonging to private projects. This vulnerability arises from inadequate access-level verification, enabling potential unauthorized exposure of sensitive issue information through manipulated URLs.

References