Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2012-2691

The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request.

Published

2012-06-17T03:41:41.857

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-264

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	mantisbt	mantisbt	≤ 1.2.10	Yes
Application	mantisbt	mantisbt	0.18.0	Yes
Application	mantisbt	mantisbt	0.19.0	Yes
Application	mantisbt	mantisbt	0.19.0	Yes
Application	mantisbt	mantisbt	0.19.0	Yes
Application	mantisbt	mantisbt	0.19.0	Yes
Application	mantisbt	mantisbt	0.19.1	Yes
Application	mantisbt	mantisbt	0.19.2	Yes
Application	mantisbt	mantisbt	0.19.3	Yes
Application	mantisbt	mantisbt	0.19.4	Yes
Application	mantisbt	mantisbt	0.19.5	Yes
Application	mantisbt	mantisbt	1.0.0	Yes
Application	mantisbt	mantisbt	1.0.0	Yes
Application	mantisbt	mantisbt	1.0.0	Yes
Application	mantisbt	mantisbt	1.0.0	Yes
Application	mantisbt	mantisbt	1.0.0	Yes
Application	mantisbt	mantisbt	1.0.0	Yes
Application	mantisbt	mantisbt	1.0.0	Yes
Application	mantisbt	mantisbt	1.0.0	Yes
Application	mantisbt	mantisbt	1.0.0	Yes
Application	mantisbt	mantisbt	1.0.1	Yes
Application	mantisbt	mantisbt	1.0.2	Yes
Application	mantisbt	mantisbt	1.0.3	Yes
Application	mantisbt	mantisbt	1.0.4	Yes
Application	mantisbt	mantisbt	1.0.5	Yes
Application	mantisbt	mantisbt	1.0.7	Yes
Application	mantisbt	mantisbt	1.0.8	Yes
Application	mantisbt	mantisbt	1.0.9	Yes
Application	mantisbt	mantisbt	1.1.0	Yes
Application	mantisbt	mantisbt	1.1.0	Yes
Application	mantisbt	mantisbt	1.1.0	Yes
Application	mantisbt	mantisbt	1.1.0	Yes
Application	mantisbt	mantisbt	1.1.0	Yes
Application	mantisbt	mantisbt	1.1.0	Yes
Application	mantisbt	mantisbt	1.1.0	Yes
Application	mantisbt	mantisbt	1.1.0	Yes
Application	mantisbt	mantisbt	1.1.1	Yes
Application	mantisbt	mantisbt	1.1.2	Yes
Application	mantisbt	mantisbt	1.1.3	Yes
Application	mantisbt	mantisbt	1.1.4	Yes
Application	mantisbt	mantisbt	1.1.5	Yes
Application	mantisbt	mantisbt	1.1.6	Yes
Application	mantisbt	mantisbt	1.1.7	Yes
Application	mantisbt	mantisbt	1.1.8	Yes
Application	mantisbt	mantisbt	1.1.9	Yes
Application	mantisbt	mantisbt	1.2.0	Yes
Application	mantisbt	mantisbt	1.2.0	Yes
Application	mantisbt	mantisbt	1.2.0	Yes
Application	mantisbt	mantisbt	1.2.0	Yes
Application	mantisbt	mantisbt	1.2.0	Yes
Application	mantisbt	mantisbt	1.2.0	Yes
Application	mantisbt	mantisbt	1.2.1	Yes
Application	mantisbt	mantisbt	1.2.2	Yes
Application	mantisbt	mantisbt	1.2.3	Yes
Application	mantisbt	mantisbt	1.2.4	Yes
Application	mantisbt	mantisbt	1.2.5	Yes
Application	mantisbt	mantisbt	1.2.6	Yes
Application	mantisbt	mantisbt	1.2.7	Yes
Application	mantisbt	mantisbt	1.2.8	Yes
Application	mantisbt	mantisbt	1.2.9	Yes

References

http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html ([email protected])
http://secunia.com/advisories/49414 Vendor Advisory ([email protected])
http://secunia.com/advisories/51199 ([email protected])
http://security.gentoo.org/glsa/glsa-201211-01.xml ([email protected])
http://www.mantisbt.org/bugs/changelog_page.php?version_id=148 ([email protected])
http://www.mantisbt.org/bugs/view.php?id=14340 ([email protected])
http://www.openwall.com/lists/oss-security/2012/06/09/1 ([email protected])
http://www.openwall.com/lists/oss-security/2012/06/11/6 ([email protected])
http://www.securityfocus.com/bid/53907 ([email protected])
http://www.securityfocus.com/bid/56467 ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/76180 ([email protected])
https://github.com/mantisbt/mantisbt/commit/175d973105fe9f03a37ced537b742611631067e0 Exploit, Patch ([email protected])
https://github.com/mantisbt/mantisbt/commit/edc8142bb8ac0ac0df1a3824d78c15f4015d959e Exploit, Patch ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/49414 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/51199 (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-201211-01.xml (af854a3a-2127-422b-91ae-364da2661108)
http://www.mantisbt.org/bugs/changelog_page.php?version_id=148 (af854a3a-2127-422b-91ae-364da2661108)
http://www.mantisbt.org/bugs/view.php?id=14340 (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2012/06/09/1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2012/06/11/6 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/53907 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/56467 (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/76180 (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mantisbt/mantisbt/commit/175d973105fe9f03a37ced537b742611631067e0 Exploit, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mantisbt/mantisbt/commit/edc8142bb8ac0ac0df1a3824d78c15f4015d959e Exploit, Patch (af854a3a-2127-422b-91ae-364da2661108)