Back to search
CVE-2014-8988
Published: Nov 24, 2014
Modified: Aug 6, 2024
PUBLISHED
Description
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
[oss-security] 20141115 CVE Request: information disclosure in MantisBT attachments
mailing-list
x_refsource_MLIST
https://github.com/mantisbt/mantisbt/commit/5f0b150b
x_refsource_CONFIRM
http://www.mantisbt.org/bugs/view.php?id=17742
x_refsource_CONFIRM
62101
third-party-advisory
x_refsource_SECUNIA
71104
vdb-entry
x_refsource_BID
[oss-security] 20141119 Re: CVE Request: information disclosure in MantisBT attachments
mailing-list
x_refsource_MLIST
mantisbt-fileapi-sec-bypass(98731)
vdb-entry
x_refsource_XF
DSA-3120
vendor-advisory
x_refsource_DEBIAN
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now