MantisBT Critical Security Issue

General discussion of Mantis.

Moderators: Developer, Contributor

Post Reply
niggannivea
Posts: 1
Joined: 24 May 2019, 09:01

MantisBT Critical Security Issue

Post by niggannivea »

I don't see a blog post for this one but this is what their email said:

Dear MantisBT users,

We would like to inform you of a critical security issue, allowing a remote attacker to reset any user's password, on all MantisBT instances where user signup or password reset are enabled, via a vulnerability in the Account verification page (verify.php).

MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released soon.

The purpose of this message is to give you advance notice and offer you a chance to patch your systems before disclosure of the vulnerability to the general public.

You will find the fix for the issue attached to this message. If you do not know how to apply a unified diff patch, you may also manually update verify.php:

locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions):
atrol
Site Admin
Posts: 8366
Joined: 26 Mar 2008, 21:37
Location: Germany

Re: MantisBT Critical Security Issue

Post by atrol »

This issue has been fixed more than two years ago. What's the purpose of posting this topic?
niggannivea wrote: 24 May 2019, 09:05 I don't see a blog post
https://mantisbt.org/blog/archives/mantisbt/518
Please use Search before posting and read the Manual
Post Reply