CVE-2012-2692

EUVD-2012-2674
MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.6 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:S/C:N/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
Affected Products (NVD)
VendorProductVersion
mantisbtmantisbt
𝑥
≤ 1.2.10
mantisbtmantisbt
0.18.0
mantisbtmantisbt
0.19.0
mantisbtmantisbt
0.19.0:a1
mantisbtmantisbt
0.19.0:a2
mantisbtmantisbt
0.19.0:rc1
mantisbtmantisbt
0.19.1
mantisbtmantisbt
0.19.2
mantisbtmantisbt
0.19.3
mantisbtmantisbt
0.19.4
mantisbtmantisbt
0.19.5
mantisbtmantisbt
1.0.0
mantisbtmantisbt
1.0.0:a1
mantisbtmantisbt
1.0.0:a2
mantisbtmantisbt
1.0.0:a3
mantisbtmantisbt
1.0.0:rc1
mantisbtmantisbt
1.0.0:rc2
mantisbtmantisbt
1.0.0:rc3
mantisbtmantisbt
1.0.0:rc4
mantisbtmantisbt
1.0.0:rc5
mantisbtmantisbt
1.0.1
mantisbtmantisbt
1.0.2
mantisbtmantisbt
1.0.3
mantisbtmantisbt
1.0.4
mantisbtmantisbt
1.0.5
mantisbtmantisbt
1.0.6
mantisbtmantisbt
1.0.7
mantisbtmantisbt
1.0.8
mantisbtmantisbt
1.1.0
mantisbtmantisbt
1.1.1
mantisbtmantisbt
1.1.2
mantisbtmantisbt
1.1.4
mantisbtmantisbt
1.1.5
mantisbtmantisbt
1.1.6
mantisbtmantisbt
1.1.7
mantisbtmantisbt
1.1.8
mantisbtmantisbt
1.2.0
mantisbtmantisbt
1.2.0:alpha1
mantisbtmantisbt
1.2.0:alpha2
mantisbtmantisbt
1.2.1
mantisbtmantisbt
1.2.2
mantisbtmantisbt
1.2.3
mantisbtmantisbt
1.2.4
mantisbtmantisbt
1.2.5
mantisbtmantisbt
1.2.6
mantisbtmantisbt
1.2.7
mantisbtmantisbt
1.2.8
mantisbtmantisbt
1.2.9
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mantis
hardy
ignored
lucid
ignored
natty
Fixed 1.1.8+dfsg-10squeeze2build0.11.04.1
released
oneiric
ignored
precise
ignored
quantal
not-affected
raring
not-affected
saucy
not-affected
trusty
dne
utopic
dne
vivid
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
Common Weakness Enumeration
References
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html
http://secunia.com/advisories/51199
http://security.gentoo.org/glsa/glsa-201211-01.xml
http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
http://www.mantisbt.org/bugs/view.php?id=14016
http://www.openwall.com/lists/oss-security/2012/06/09/1
http://www.openwall.com/lists/oss-security/2012/06/11/6
http://www.securityfocus.com/bid/53921
https://github.com/mantisbt/mantisbt/commit/ceafe6f0c679411b81368052633a63dd3ca06d9c
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html
http://secunia.com/advisories/51199
http://security.gentoo.org/glsa/glsa-201211-01.xml
http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
http://www.mantisbt.org/bugs/view.php?id=14016
http://www.openwall.com/lists/oss-security/2012/06/09/1
http://www.openwall.com/lists/oss-security/2012/06/11/6
http://www.securityfocus.com/bid/53921
https://github.com/mantisbt/mantisbt/commit/ceafe6f0c679411b81368052633a63dd3ca06d9c