CVE-2020-36192

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-36192
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36192.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-36192
Published
2021-01-18T20:15:12.603Z
Modified
2026-04-10T04:25:58.798286Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php page, as well as on the list.php page (a pop-up on the Affected Issues id hyperlink). Additionally, if the attacker has "Update threshold" in the plugin's configuration (set to the "updater" access level by default), then they can link any Issue to a Changeset by entering the Issue's Id, even if they do not have access to it.

References

Affected packages

Git / github.com/mantisbt-plugins/source-integration

Affected ranges

Type
GIT
Repo
https://github.com/mantisbt-plugins/source-integration
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
da0a7661fc18b2f6db111e50087fc91449d774ca
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.4.1"
        }
    ]
}

Affected versions

Source-0.*
Source-0.10
Source-0.11
Source-0.12
Source-0.12a
Source-0.9
Source-0.9a
Source-0.9b
Source-0.9c
release-0.*
release-0.13.0
release-0.13.1
release-0.13.2
v0.*
v0.14
v0.15
v0.16
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17
v0.18
v1.*
v1.3.0
v1.3.1
v2.*
v2.0.0
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.2.0
v2.3.0
v2.4.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36192.json"