Vulnerability Description
The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request.
CVSS Score
7.5
HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mantisbt | Mantisbt | <= 1.2.10 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.h
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.h
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.h
- http://secunia.com/advisories/49414Vendor Advisory
- http://secunia.com/advisories/51199
- http://security.gentoo.org/glsa/glsa-201211-01.xml
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
- http://www.mantisbt.org/bugs/view.php?id=14340
- http://www.openwall.com/lists/oss-security/2012/06/09/1
- http://www.openwall.com/lists/oss-security/2012/06/11/6
- http://www.securityfocus.com/bid/53907
- http://www.securityfocus.com/bid/56467
- https://exchange.xforce.ibmcloud.com/vulnerabilities/76180
- https://github.com/mantisbt/mantisbt/commit/175d973105fe9f03a37ced537b7426116310ExploitPatch
- https://github.com/mantisbt/mantisbt/commit/edc8142bb8ac0ac0df1a3824d78c15f4015dExploitPatch
FAQ
What is CVE-2012-2691?
CVE-2012-2691 is a vulnerability with a CVSS score of 7.5 (HIGH). The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes v...
How severe is CVE-2012-2691?
CVE-2012-2691 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2691?
Check the references section above for vendor advisories and patch information. Affected products include: Mantisbt Mantisbt.