CVE-2014-9506

Published: Jan 4, 2015Modified: May 6, 2026

3.5

Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability: 6.8 / Impact: 2.9

Source: NVD

Description

MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.

Affected (1)

Products: Mantisbt: Mantisbt

Mantisbt

1 product

Mantisbt

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mantisbt Mantisbt	Up to 1.2.17

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (10)

http://seclists.org/oss-sec/2014/q4/955

Source: cve@mitre.org

http://secunia.com/advisories/62101

Source: cve@mitre.org

http://www.debian.org/security/2015/dsa-3120

Source: cve@mitre.org

https://www.mantisbt.org/bugs/changelog_page.php?version_id=191

Source: cve@mitre.org

Vendor Advisory

https://www.mantisbt.org/bugs/view.php?id=9885

Source: cve@mitre.org

Vendor Advisory

http://seclists.org/oss-sec/2014/q4/955