MantisBT 1.2.11 is a security update for the stable 1.2.x branch.
CVE requests for 2 issues have been sent to <email address hidden> as follows:
CVE REQUEST #1
Title: Reporters can edit arbitrary bugnotes via SOAP API
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11
Description:
Roland Becker and Damien Regad (MantisBT developers) found that any user
able to report issues via the SOAP interface could also modify any
bugnotes (comments) created by other users. In a default/typical
MantisBT installation, SOAP API is enabled and any user can sign up to
report new issues. This vulnerability therefore impacts upon many public
facing MantisBT installations.
Title: delete_attachments_threshold not checked on attachment deletion
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11
Description:
Roland Becker (MantisBT developer) found that the
delete_attachments_threshold permission was not being checked when a
user attempted to delete an attachment from an issue. The more generic
update_bug_threshold permission was being checked instead. MantisBT
administrators may have been under the false impression that their
configuration of the delete_attachments_threshold was successfully
preventing unwanted users from deleting attachments.
MantisBT 1.2.11 is a security update for the stable 1.2.x branch.
CVE requests for 2 issues have been sent to <email address hidden> as follows:
CVE REQUEST #1
Title: Reporters can edit arbitrary bugnotes via SOAP API
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11
Description:
Roland Becker and Damien Regad (MantisBT developers) found that any user
able to report issues via the SOAP interface could also modify any
bugnotes (comments) created by other users. In a default/typical
MantisBT installation, SOAP API is enabled and any user can sign up to
report new issues. This vulnerability therefore impacts upon many public
facing MantisBT installations.
References: www.mantisbt. org/bugs/ view.php? id=14340
[1] http://
CVE REQUEST #2
Title: delete_ attachments_ threshold not checked on attachment deletion
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11
Description: attachments_ threshold permission was not being checked when a bug_threshold permission was being checked instead. MantisBT attachments_ threshold was successfully
Roland Becker (MantisBT developer) found that the
delete_
user attempted to delete an attachment from an issue. The more generic
update_
administrators may have been under the false impression that their
configuration of the delete_
preventing unwanted users from deleting attachments.
References: www.mantisbt. org/bugs/ view.php? id=14016
[1] http://
Reproducible: Always