Permissions, Privileges, and Access Controls in MantisBT - CVE-2012-1121

 

Permissions, Privileges, and Access Controls in MantisBT - CVE-2012-1121

Published: June 29, 2012 / Updated: August 11, 2020


Vulnerability identifier: #VU43924
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2012-1121
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: mantisbt.sourceforge.net
Affected software:
MantisBT

Detailed vulnerability description

The vulnerability allows a remote #AU# to manipulate or delete data.

MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1) modify or (2) delete global categories.


How to mitigate CVE-2012-1121

Install update from vendor's website.

Sources