MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2012-06-17T01:00:00
Updated: 2013-03-02T10:00:00
Reserved: 2012-05-14T00:00:00
Link: CVE-2012-2692
JSON object: View
NVD Information
Status : Modified
Published: 2012-06-17T03:41:41.907
Modified: 2021-01-12T18:05:56.147
Link: CVE-2012-2692
JSON object: View
Redhat Information
No data.
CWE