CVE-2012-5523
MEDIUM severity · CVSS 5.5 · CWE-264
5.5CVSS MEDIUM
Summary
core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impactNone
Exploit probability (EPSS)2%
AV:N/AC:L/Au:S/C:P/I:P/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html
- http://openwall.com/lists/oss-security/2012/11/14/1
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=150
- http://www.mantisbt.org/bugs/view.php?id=14704
- http://www.securityfocus.com/bid/56520
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80070