SB2021010508 - Multiple vulnerabilities in MantisBT

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2020-28413)

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "access" parameter of the mc_project_get_users function through the API SOAP. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

2) Improper access control (CVE-ID: CVE-2020-35849)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. An incorrect access check in bug_revision_view_page.php allows an unprivileged attacker to view the Summary field of private issues, as well as bugnotes revisions, gaining access to potentially confidential information via the bugnote_id parameter.

Remediation

Install update from vendor's website.

References

• http://packetstormsecurity.com/files/160750/Mantis-Bug-Tracker-2.24.3-SQL-Injection.html
• https://ethicalhcop.medium.com/cve-2020-28413-blind-sql-injection-en-mantis-bug-tracker-2-24-3-api-soap-54238f8e046d
• https://mantisbt.org/bugs/view.php?id=27370