CVE-2012-2692

MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments.

CVSS v2.0 3.6 LOW

3.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:S/C:N/I:P/A:P

Exploitability : 3.9 / Impact : 4.9

Access Vector NETWORK

Access Complexity HIGH

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html
http://secunia.com/advisories/51199
http://security.gentoo.org/glsa/glsa-201211-01.xml
http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
http://www.mantisbt.org/bugs/view.php?id=14016
http://www.openwall.com/lists/oss-security/2012/06/09/1
http://www.openwall.com/lists/oss-security/2012/06/11/6
http://www.securityfocus.com/bid/53921
https://github.com/mantisbt/mantisbt/commit/ceafe6f0c679411b81368052633a63dd3ca06d9c	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mantisbt:mantisbt::::::::
	cpe:2.3:a:mantisbt:mantisbt:0.18.0:::::::*
	cpe:2.3:a:mantisbt:mantisbt:0.19.0:::::::*
	cpe:2.3:a:mantisbt:mantisbt:0.19.0:a1::::::
	cpe:2.3:a:mantisbt:mantisbt:0.19.0:a2::::::
	cpe:2.3:a:mantisbt:mantisbt:0.19.0:rc1::::::
	cpe:2.3:a:mantisbt:mantisbt:0.19.1:::::::*
	cpe:2.3:a:mantisbt:mantisbt:0.19.2:::::::*
	cpe:2.3:a:mantisbt:mantisbt:0.19.3:::::::*
	cpe:2.3:a:mantisbt:mantisbt:0.19.4:::::::*
	cpe:2.3:a:mantisbt:mantisbt:0.19.5:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.0.0:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.0.0:a1::::::
	cpe:2.3:a:mantisbt:mantisbt:1.0.0:a2::::::
	cpe:2.3:a:mantisbt:mantisbt:1.0.0:a3::::::
	cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc1::::::
	cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc2::::::
	cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc3::::::
	cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc4::::::
	cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc5::::::
	cpe:2.3:a:mantisbt:mantisbt:1.0.1:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.0.2:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.0.3:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.0.4:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.0.5:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.0.6:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.0.7:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.0.8:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.1.0:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.1.1:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.1.2:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.1.4:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.1.5:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.1.6:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.1.7:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.1.8:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.2.0:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.2.0:alpha1::::::
	cpe:2.3:a:mantisbt:mantisbt:1.2.0:alpha2::::::
	cpe:2.3:a:mantisbt:mantisbt:1.2.1:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.2.2:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.2.3:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.2.4:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.2.5:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.2.6:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.2.7:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.2.8:::::::*
	cpe:2.3:a:mantisbt:mantisbt:1.2.9:::::::*

History

12 Jan 2021, 18:05

Type	Values Removed	Values Added
CPE	cpe:2.3:a:mantisbt:mantisbt:1.2.0:a1:::::: cpe:2.3:a:mantisbt:mantisbt:1.2.0:a2::::::	cpe:2.3:a:mantisbt:mantisbt:1.2.0:alpha2:::::: cpe:2.3:a:mantisbt:mantisbt:1.2.0:alpha1::::::

Information

Published : 2012-06-17 03:41

Updated : 2023-12-10 11:16

NVD link : CVE-2012-2692

Mitre link : CVE-2012-2692

CVE.ORG link : CVE-2012-2692

JSON object : View

Products Affected

mantisbt

mantisbt

CWE

CWE-264

Permissions, Privileges, and Access Controls

3.6 /10