CVE-2012-2691
https://notcve.org/view.php?id=CVE-2012-2691
The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request. La función de mc_issue_note_update en la API SOAP en MantisBT anterior a v1.2.11 no comprueba correctamente los privilegios, lo que permite a atacantes remotos con privilegios de reporte de informes de errores editar bugnotes arbitrarios a través de una solicitud SOAP. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html http://secunia.com/advisories/49414 http://secunia.com/advisories/51199 http://security.gentoo.org/glsa/glsa-201211-01.xml http://www.mantisbt.org/bugs/changelog_page.php?version_id=148 http://www.mantisbt.org/bugs/view.php?id=14340 http://www& • CWE-264: Permissions, Privileges, and Access Controls •