CVE-2012-2692
Published: 17 June 2012
MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments.
Priority
Status
Package | Release | Status |
---|---|---|
mantis Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
natty |
Released
(1.1.8+dfsg-10squeeze2build0.11.04.1)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Not vulnerable
(1.2.11-1)
|
|
raring |
Not vulnerable
(1.2.11-1)
|
|
saucy |
Not vulnerable
(1.2.11-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.2.11-1)
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
References
- https://github.com/mantisbt/mantisbt/commit/ceafe6f0c679411b81368052633a63dd3ca06d9c
- http://www.openwall.com/lists/oss-security/2012/06/11/6
- http://www.openwall.com/lists/oss-security/2012/06/09/1
- http://www.mantisbt.org/bugs/view.php?id=14016
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
- https://www.cve.org/CVERecord?id=CVE-2012-2692
- NVD
- Launchpad
- Debian