mantis: multiple vulnerabilities
| Package(s): | mantis | CVE #(s): | CVE-2012-5522 CVE-2012-5523 | ||||||||
| Created: | November 26, 2012 | Updated: | November 28, 2012 | ||||||||
| Description: | From the CVE entries:
MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting. (CVE-2012-5522) core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. (CVE-2012-5523) | ||||||||||
| Alerts: |
| ||||||||||