GHSA-xjmx-cprh-646r

Suggest an improvement
Source
https://github.com/advisories/GHSA-xjmx-cprh-646r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjmx-cprh-646r/GHSA-xjmx-cprh-646r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xjmx-cprh-646r
Aliases
Published
2022-05-24T17:29:51Z
Modified
2025-05-29T14:57:02.671906Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
MantisBT unauthorized users able to access private files
Details

An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.

Database specific
{
    "github_reviewed_at": "2025-05-29T14:09:17Z",
    "github_reviewed": true,
    "nvd_published_at": "2020-09-30T21:15:00Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE"
}
References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name
mantisbt/mantisbt
Purl
pkg:composer/mantisbt/mantisbt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.24.3

Affected versions

2.*

2.3.0
2.3.1
2.3.2
2.3.3
2.4.0
2.4.1
2.4.2
2.5.0
2.5.1
2.5.2
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.10.0
2.10.1
2.11.0
2.11.1
2.12.0
2.12.1
2.12.2
2.13.0
2.13.1
2.13.2
2.14.0
2.15.0
2.15.1
2.16.0
2.16.1
2.17.0
2.17.1
2.17.2
2.18.0
2.18.1
2.19.0
2.19.1
2.20.0
2.20.1
2.21.0
2.21.1
2.21.2
2.21.3
2.22.0
2.22.1
2.22.2
2.23.0
2.23.1
2.24.0
2.24.1
2.24.2