Vulnerability Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person's email address could lead to information disclosure. This issue is fixed in version 2.27.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mantisbt | Mantisbt | < 2.27.2 |
Related Weaknesses (CWE)
References
- https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4Patch
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69prIssue TrackingVendor Advisory
- https://mantisbt.org/bugs/view.php?id=36005ExploitIssue TrackingVendor Advisory
FAQ
What is CVE-2025-55155?
CVE-2025-55155 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that...
How severe is CVE-2025-55155?
CVE-2025-55155 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55155?
Check the references section above for vendor advisories and patch information. Affected products include: Mantisbt Mantisbt.