CVE-2012-2692
Published: 17 June 2012
MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
mantis Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Ignored
(end of life)
|
|
| natty |
Released
(1.1.8+dfsg-10squeeze2build0.11.04.1)
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Ignored
(end of life)
|
|
| quantal |
Not vulnerable
(1.2.11-1)
|
|
| raring |
Not vulnerable
(1.2.11-1)
|
|
| saucy |
Not vulnerable
(1.2.11-1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(1.2.11-1)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
References
- https://github.com/mantisbt/mantisbt/commit/ceafe6f0c679411b81368052633a63dd3ca06d9c
- http://www.openwall.com/lists/oss-security/2012/06/11/6
- http://www.openwall.com/lists/oss-security/2012/06/09/1
- http://www.mantisbt.org/bugs/view.php?id=14016
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
- https://www.cve.org/CVERecord?id=CVE-2012-2692
- NVD
- Launchpad
- Debian