CVE-2012-2691

Publication date 17 June 2012

Last updated 24 July 2024

Description

The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
mantis	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Not in release
	15.04 vivid	Not in release
	14.10 utopic	Not in release
	14.04 LTS trusty	Not in release
	13.10 saucy	Not affected
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Ignored end of life
	11.10 oneiric	Ignored end of life
	11.04 natty	Fixed 1.1.8+dfsg-10squeeze2build0.11.04.1
	10.04 LTS lucid	Ignored end of life
	8.04 LTS hardy	Ignored end of life

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://github.com/mantisbt/mantisbt/commit/edc8142bb8ac0ac0df1a3824d78c15f4015d959e
https://github.com/mantisbt/mantisbt/commit/175d973105fe9f03a37ced537b742611631067e0
http://xforce.iss.net/xforce/xfdb/76180
http://www.openwall.com/lists/oss-security/2012/06/11/6
http://www.openwall.com/lists/oss-security/2012/06/09/1
http://www.mantisbt.org/bugs/view.php?id=14340
http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
http://secunia.com/advisories/49414
https://www.cve.org/CVERecord?id=CVE-2012-2691