CVE-2014-9117

MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
mantisbtmantisbt
𝑥
≤ 1.2.17
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mantis
zesty
dne
yakkety
dne
xenial
dne
wily
dne
vivid
dne
utopic
dne
trusty
dne
precise
ignored
lucid
ignored
Common Weakness Enumeration
References
http://secunia.com/advisories/62101
http://www.debian.org/security/2015/dsa-3120
http://www.openwall.com/lists/oss-security/2014/11/26/19
http://www.openwall.com/lists/oss-security/2014/11/27/8
http://www.securityfocus.com/bid/71321
https://exchange.xforce.ibmcloud.com/vulnerabilities/99004
https://github.com/mantisbt/mantisbt/commit/7bb78e45
https://www.mantisbt.org/bugs/view.php?id=17811
http://secunia.com/advisories/62101
http://www.debian.org/security/2015/dsa-3120
http://www.openwall.com/lists/oss-security/2014/11/26/19
http://www.openwall.com/lists/oss-security/2014/11/27/8
http://www.securityfocus.com/bid/71321
https://exchange.xforce.ibmcloud.com/vulnerabilities/99004
https://github.com/mantisbt/mantisbt/commit/7bb78e45
https://www.mantisbt.org/bugs/view.php?id=17811