In manage_proj_edit_page.php in MantisBT before 2.24.4, any unprivileged logged-in user can retrieve Private Projects' names via the manage_proj_edit_page.php project_id parameter, without having access to them.
References
Link | Resource |
---|---|
https://mantisbt.org/bugs/view.php?id=27357 | Exploit Patch Vendor Advisory |
https://mantisbt.org/bugs/view.php?id=27726 | Exploit Patch Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-01-29T06:41:36
Updated: 2021-01-29T06:41:36
Reserved: 2020-12-07T00:00:00
Link: CVE-2020-29603
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-01-29T07:15:17.810
Modified: 2021-01-30T00:43:06.813
Link: CVE-2020-29603
JSON object: View
Redhat Information
No data.
CWE