CVSS: 5.5EPSS: 0%CPEs: 62EXPL: 0CVE-2012-5522
https://notcve.org/view.php?id=CVE-2012-5522
MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. MantisBT antes de v1.2.12 no utiliza un valor por defecto esperado durante las decisiones sobre si un usuario puede modificar el estado de un bug, lo que permite a usuarios remotos autenticados eludir restricciones de acceso y hacer cambios en el estado al aprovecharse de un valor en blanco para un configuración "por-estado". • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://openwall.com/lists/oss-security/2012/11/14/1 http://www.mantisbt.org/bugs/changelog_page.php?version_id=150 http://www.mantisbt.org/bugs/view.php?id=14496 http://www.securityfocus.com/bid/56520 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.5EPSS: 0%CPEs: 62EXPL: 0CVE-2012-5523
https://notcve.org/view.php?id=CVE-2012-5523
core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. core/email_api.php en MantisBT antes de v1.2.12 no gestiona adecuadamente el envío de notificaciones por correo electrónico sobre bugs restringidos, lo que podría permitir a usuarios remotos autenticados obtener información confidencial mediante la adición de una nota a un error antes de perder el permiso para ver ese error. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://openwall.com/lists/oss-security/2012/11/14/1 http://www.mantisbt.org/bugs/changelog_page.php?version_id=150 http://www.mantisbt.org/bugs/view.php?id=14704 http://www.securityfocus.com/bid/56520 https://exchange.xforce.ibmcloud.com/vulnerabi • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.9EPSS: 0%CPEs: 59EXPL: 1CVE-2012-1121
https://notcve.org/view.php?id=CVE-2012-1121
MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1) modify or (2) delete global categories. MantisBT anteriores a 1.2.9 no comprueba adecuadamente permisos, lo que permite a usuarios autenticados remotos con privilegios de manager (1) modificar o (2) borrar categorías globales. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://secunia.com/advisories/48258 http://secunia.com/advisories/51199 http://security.gentoo.org/glsa/glsa-201211-01.xml http://www.mantisbt.org/bugs/changelog_page.php?version_id=140 http://www.mantisbt.org/bugs/view.php?id=13561 http://www& • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 3.6EPSS: 0%CPEs: 46EXPL: 1CVE-2012-1122
https://notcve.org/view.php?id=CVE-2012-1122
bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the report_bug_threshold permission of the receiving project when moving a bug report, which allows remote authenticated users with the report_bug_threshold and move_bug_threshold privileges for a project to bypass intended access restrictions and move bug reports to a different project. bug_actiongroup.php de MantisBT anteriores a 1.2.9 no comprueba apropiadamente el permiso report_bug_threshold del proyecto destino cuando se mueve un reporte de bug, lo que permite a usuarios autenticados remotos con los privilegios report_bug_threshold y move_bug_threshold para un proyecto evitar las restricciones de acceso previstas y mover reportes de bug a un proyecto distinto. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://secunia.com/advisories/48258 http://secunia.com/advisories/49572 http://secunia.com/advisories/51199 http://security.gentoo.org/glsa/glsa-201211-01.xml http://www.debian.org/security/2012/dsa-2500 http://www.mantisbt.org/bugs/changelog_page&# • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.4EPSS: 2%CPEs: 59EXPL: 1CVE-2012-1119
https://notcve.org/view.php?id=CVE-2012-1119
MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection. MantisBT anteriores a 1.2.9 no audita la acción de un usuario de copiar o clonar un reporte de bug, lo que facilita a atacantes remotos copiar reportes de bug sin detección. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://secunia.com/advisories/48258 http://secunia.com/advisories/49572 http://secunia.com/advisories/51199 http://security.gentoo.org/glsa/glsa-201211-01.xml http://www.debian.org/security/2012/dsa-2500 http://www.mantisbt.org/bugs/changelog_page&# • CWE-264: Permissions, Privileges, and Access Controls •