CVE-2020-25781

Published: Sep 30, 2020Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.

Affected (1)

Products: Mantisbt: Mantisbt

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mantisbt Mantisbt	Before 2.24.3

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (6)

http://github.com/mantisbt/mantisbt/commit/5595c90f11c48164331a20bb9c66098980516e93

Source: cve@mitre.org

PatchThird Party Advisory

http://github.com/mantisbt/mantisbt/commit/9de20c09e5a557e57159a61657ce62f1a4f578fe

Source: cve@mitre.org

PatchThird Party Advisory

https://mantisbt.org/bugs/view.php?id=27039

Source: cve@mitre.org

ExploitPatchVendor Advisory

http://github.com/mantisbt/mantisbt/commit/5595c90f11c48164331a20bb9c66098980516e93

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

http://github.com/mantisbt/mantisbt/commit/9de20c09e5a557e57159a61657ce62f1a4f578fe

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://mantisbt.org/bugs/view.php?id=27039

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchVendor Advisory

Timeline

No history available yet.