CVE-2012-2691
Published: 17 June 2012
The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request.
Priority
Status
Package | Release | Status |
---|---|---|
mantis Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
natty |
Released
(1.1.8+dfsg-10squeeze2build0.11.04.1)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Not vulnerable
(1.2.11-1)
|
|
raring |
Not vulnerable
(1.2.11-1)
|
|
saucy |
Not vulnerable
(1.2.11-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.2.11-1)
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
References
- https://github.com/mantisbt/mantisbt/commit/edc8142bb8ac0ac0df1a3824d78c15f4015d959e
- https://github.com/mantisbt/mantisbt/commit/175d973105fe9f03a37ced537b742611631067e0
- http://xforce.iss.net/xforce/xfdb/76180
- http://www.openwall.com/lists/oss-security/2012/06/11/6
- http://www.openwall.com/lists/oss-security/2012/06/09/1
- http://www.mantisbt.org/bugs/view.php?id=14340
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
- http://secunia.com/advisories/49414
- https://www.cve.org/CVERecord?id=CVE-2012-2691
- NVD
- Launchpad
- Debian