CVE-2012-1120

The SOAP API in MantisBT before 1.2.9 does not properly enforce the bugnote_allow_user_edit_delete and delete_bug_threshold permissions, which allows remote authenticated users with read and write SOAP API privileges to delete arbitrary bug reports and bug notes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.6 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:S/C:N/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
mantisbtmantisbt
𝑥
≤ 1.2.8
mantisbtmantisbt
0.18.0
mantisbtmantisbt
0.19.0
mantisbtmantisbt
0.19.0:a1
mantisbtmantisbt
0.19.0:a2
mantisbtmantisbt
0.19.0:rc1
mantisbtmantisbt
0.19.1
mantisbtmantisbt
0.19.2
mantisbtmantisbt
0.19.3
mantisbtmantisbt
0.19.4
mantisbtmantisbt
0.19.5
mantisbtmantisbt
1.0.0
mantisbtmantisbt
1.0.0:a1
mantisbtmantisbt
1.0.0:a2
mantisbtmantisbt
1.0.0:a3
mantisbtmantisbt
1.0.0:rc1
mantisbtmantisbt
1.0.0:rc2
mantisbtmantisbt
1.0.0:rc3
mantisbtmantisbt
1.0.0:rc4
mantisbtmantisbt
1.0.0:rc5
mantisbtmantisbt
1.0.1
mantisbtmantisbt
1.0.2
mantisbtmantisbt
1.0.3
mantisbtmantisbt
1.0.4
mantisbtmantisbt
1.0.5
mantisbtmantisbt
1.0.6
mantisbtmantisbt
1.0.7
mantisbtmantisbt
1.0.8
mantisbtmantisbt
1.0.9
mantisbtmantisbt
1.1.0
mantisbtmantisbt
1.1.0:a1
mantisbtmantisbt
1.1.0:a2
mantisbtmantisbt
1.1.0:a3
mantisbtmantisbt
1.1.0:a4
mantisbtmantisbt
1.1.0:rc1
mantisbtmantisbt
1.1.0:rc2
mantisbtmantisbt
1.1.0:rc3
mantisbtmantisbt
1.1.1
mantisbtmantisbt
1.1.2
mantisbtmantisbt
1.1.3
mantisbtmantisbt
1.1.4
mantisbtmantisbt
1.1.5
mantisbtmantisbt
1.1.6
mantisbtmantisbt
1.1.7
mantisbtmantisbt
1.1.8
mantisbtmantisbt
1.1.9
mantisbtmantisbt
1.2.0
mantisbtmantisbt
1.2.0:alpha1
mantisbtmantisbt
1.2.0:alpha2
mantisbtmantisbt
1.2.0:alpha3
mantisbtmantisbt
1.2.0:rc1
mantisbtmantisbt
1.2.0:rc2
mantisbtmantisbt
1.2.1
mantisbtmantisbt
1.2.2
mantisbtmantisbt
1.2.3
mantisbtmantisbt
1.2.4
mantisbtmantisbt
1.2.5
mantisbtmantisbt
1.2.6
mantisbtmantisbt
1.2.7
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mantis
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
ignored
natty
Fixed 1.1.8+dfsg-10squeeze2build0.11.04.1
released
maverick
ignored
lucid
ignored
hardy
ignored
Common Weakness Enumeration
References
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html
http://secunia.com/advisories/48258
http://secunia.com/advisories/49572
http://secunia.com/advisories/51199
http://security.gentoo.org/glsa/glsa-201211-01.xml
http://www.debian.org/security/2012/dsa-2500
http://www.mantisbt.org/bugs/changelog_page.php?version_id=140
http://www.mantisbt.org/bugs/view.php?id=13656
http://www.openwall.com/lists/oss-security/2012/03/06/9
http://www.securityfocus.com/bid/52313
https://github.com/mantisbt/mantisbt/commit/df7782a65e96aa1c9639a7625a658102134c7fe0
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html
http://secunia.com/advisories/48258
http://secunia.com/advisories/49572
http://secunia.com/advisories/51199
http://security.gentoo.org/glsa/glsa-201211-01.xml
http://www.debian.org/security/2012/dsa-2500
http://www.mantisbt.org/bugs/changelog_page.php?version_id=140
http://www.mantisbt.org/bugs/view.php?id=13656
http://www.openwall.com/lists/oss-security/2012/03/06/9
http://www.securityfocus.com/bid/52313
https://github.com/mantisbt/mantisbt/commit/df7782a65e96aa1c9639a7625a658102134c7fe0