Page 14 of 85 results (0.012 seconds)

CVSS: 4.9EPSS: 0%CPEs: 59EXPL: 1

MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1) modify or (2) delete global categories. MantisBT anteriores a 1.2.9 no comprueba adecuadamente permisos, lo que permite a usuarios autenticados remotos con privilegios de manager (1) modificar o (2) borrar categorías globales. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://secunia.com/advisories/48258 http://secunia.com/advisories/51199 http://security.gentoo.org/glsa/glsa-201211-01.xml http://www.mantisbt.org/bugs/changelog_page.php?version_id=140 http://www.mantisbt.org/bugs/view.php?id=13561 http://www& • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 3.6EPSS: 0%CPEs: 46EXPL: 1

bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the report_bug_threshold permission of the receiving project when moving a bug report, which allows remote authenticated users with the report_bug_threshold and move_bug_threshold privileges for a project to bypass intended access restrictions and move bug reports to a different project. bug_actiongroup.php de MantisBT anteriores a 1.2.9 no comprueba apropiadamente el permiso report_bug_threshold del proyecto destino cuando se mueve un reporte de bug, lo que permite a usuarios autenticados remotos con los privilegios report_bug_threshold y move_bug_threshold para un proyecto evitar las restricciones de acceso previstas y mover reportes de bug a un proyecto distinto. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://secunia.com/advisories/48258 http://secunia.com/advisories/49572 http://secunia.com/advisories/51199 http://security.gentoo.org/glsa/glsa-201211-01.xml http://www.debian.org/security/2012/dsa-2500 http://www.mantisbt.org/bugs/changelog_page&# • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.4EPSS: 2%CPEs: 59EXPL: 1

MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection. MantisBT anteriores a 1.2.9 no audita la acción de un usuario de copiar o clonar un reporte de bug, lo que facilita a atacantes remotos copiar reportes de bug sin detección. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://secunia.com/advisories/48258 http://secunia.com/advisories/49572 http://secunia.com/advisories/51199 http://security.gentoo.org/glsa/glsa-201211-01.xml http://www.debian.org/security/2012/dsa-2500 http://www.mantisbt.org/bugs/changelog_page&# • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 46EXPL: 1

The access_has_bug_level function in core/access_api.php in MantisBT before 1.2.9 does not properly restrict access when the private_bug_view_threshold is set to an array, which allows remote attackers to bypass intended restrictions and perform certain operations on private bug reports. La función access_has_bug_level de core/access_api.php de MantisBT anteriores a 1.2.9 no restringe el acceso apropiadamente si private_bug_view_threshold es configurado a un array, lo que permite a atacantes remotos evitar las restricciones previstas y realizar determinadas acciones en reportes de bug privados. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://secunia.com/advisories/48258 http://secunia.com/advisories/49572 http://secunia.com/advisories/51199 http://security.gentoo.org/glsa/glsa-201211-01.xml http://www.debian.org/security/2012/dsa-2500 http://www.mantisbt.org/bugs/changelog_page&# • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 3.6EPSS: 0%CPEs: 59EXPL: 0

The SOAP API in MantisBT before 1.2.9 does not properly enforce the bugnote_allow_user_edit_delete and delete_bug_threshold permissions, which allows remote authenticated users with read and write SOAP API privileges to delete arbitrary bug reports and bug notes. La API SOAP de MantisBT anteriores a 1.2.9 no establece adecuadamente los permisos bugnote_allow_user_edit_delete y delete_bug_threshold permissions, lo que permite a usuarios autenticados remotos con privilegios SOAP API de lectura y escritura borrar reportes y notas de bug. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://secunia.com/advisories/48258 http://secunia.com/advisories/49572 http://secunia.com/advisories/51199 http://security.gentoo.org/glsa/glsa-201211-01.xml http://www.debian.org/security/2012/dsa-2500 http://www.mantisbt.org/bugs/changelog_page&# • CWE-264: Permissions, Privileges, and Access Controls •