CVE-2020-29605
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
An issue was discovered in MantisBT before 2.24.4. Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary fields of private Issues via bug_arr[]= in a crafted bug_actiongroup_page.php URL. (The target Issues can have Private view status, or belong to a private Project.)
Se detectó un problema en MantisBT versiones anteriores a 2.24.4. Debido a unas comprobaciones de nivel de acceso insuficientes, cualquier usuario que haya iniciado sesión con permiso para llevar a cabo acciones de grupo puede conseguir acceso a los campos de Resumen de Problemas privados por medio de bug_arr[]= en una URL bug_actiongroup_page.php diseñada. (Los problemas objetivos pueden tener un estado de vista Privada o pertenecer a un proyecto privado)
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-07 CVE Reserved
- 2021-01-29 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://mantisbt.org/bugs/view.php?id=27357 | 2024-08-04 | |
| https://mantisbt.org/bugs/view.php?id=27727 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | < 2.24.4 Search vendor "Mantisbt" for product "Mantisbt" and version " < 2.24.4" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|