GHSA-V642-MH27-8J6M

Vulnerability from github – Published: 2023-10-17 14:20 – Updated: 2025-08-11 14:48
VLAI?
Summary
MantisBT may disclose project names to unauthorized users
Details

Impact

Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs.

Patches

The vulnerability has been fixed in MantisBT version 2.25.8 (https://github.com/mantisbt/mantisbt/commit/65c44883f9d24f3ccef066fb523c93d8fdd7afc1).

Workarounds

Disable wiki integration ( $g_wiki_enable = OFF;)

References

  • https://mantisbt.org/bugs/view.php?id=32981
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.25.7"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "mantisbt/mantisbt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-44394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-17T14:20:36Z",
    "nvd_published_at": "2023-10-16T22:15:12Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nDue to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects\u0027 names, by accessing wiki.php with sequentially incremented IDs.\n\n### Patches\nThe vulnerability has been fixed in MantisBT version 2.25.8 (https://github.com/mantisbt/mantisbt/commit/65c44883f9d24f3ccef066fb523c93d8fdd7afc1).\n\n### Workarounds\nDisable wiki integration ( `$g_wiki_enable = OFF;`)\n\n### References\n- https://mantisbt.org/bugs/view.php?id=32981",
  "id": "GHSA-v642-mh27-8j6m",
  "modified": "2025-08-11T14:48:38Z",
  "published": "2023-10-17T14:20:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-v642-mh27-8j6m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44394"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/commit/65c44883f9d24f3ccef066fb523c93d8fdd7afc1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mantisbt/mantisbt"
    },
    {
      "type": "WEB",
      "url": "https://mantisbt.org/bugs/view.php?id=32981"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MantisBT may disclose project names to unauthorized users "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.