Insufficient Access Control in Registration and Password Reset Process Exposes Users to Takeover
CVE-2024-34077

7.3HIGH

Key Information:

Vendor
Mantisbt
Status
Mantisbt
Vendor
CVE Published:
14 May 2024

Summary

MantisBT, the open source issue tracker, suffers from an insufficient access control vulnerability that can be exploited during the password reset process. An attacker can potentially reset the password of another user if there is an incomplete request pending. This exploit is viable only when the verification token is still active, which is typically within 5 minutes after the user opens the confirmation URL sent via email. Additionally, attackers could perform brute-force attempts against the account_update.php script using incrementing user IDs. A successful attack grants complete access to the affected account, exposing sensitive data and functionalities depending on the user's privileges. Users are encouraged to upgrade to version 2.26.2 or implement mitigative strategies such as adjusting the 'TOKEN_EXPIRY_AUTHENTICATED' constant in the configuration file.

Affected Version(s)

mantisbt < 2.26.2

References

https://github.com/mantisbt/mantisbt/security/advisories/...
x_refsource_CONFIRM
https://github.com/mantisbt/mantisbt/commit/92d11a01b195a...
x_refsource_MISC
https://mantisbt.org/bugs/view.php?id=34433
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.