CVE-2012-2691
Published: 17 June 2012
The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
mantis Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Ignored
(end of life)
|
|
| natty |
Released
(1.1.8+dfsg-10squeeze2build0.11.04.1)
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Ignored
(end of life)
|
|
| quantal |
Not vulnerable
(1.2.11-1)
|
|
| raring |
Not vulnerable
(1.2.11-1)
|
|
| saucy |
Not vulnerable
(1.2.11-1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(1.2.11-1)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
References
- https://github.com/mantisbt/mantisbt/commit/edc8142bb8ac0ac0df1a3824d78c15f4015d959e
- https://github.com/mantisbt/mantisbt/commit/175d973105fe9f03a37ced537b742611631067e0
- http://xforce.iss.net/xforce/xfdb/76180
- http://www.openwall.com/lists/oss-security/2012/06/11/6
- http://www.openwall.com/lists/oss-security/2012/06/09/1
- http://www.mantisbt.org/bugs/view.php?id=14340
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
- http://secunia.com/advisories/49414
- https://www.cve.org/CVERecord?id=CVE-2012-2691
- NVD
- Launchpad
- Debian