Candidate: CVE-2012-2691
PublicDate: 2012-06-17 03:41:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2691
 https://github.com/mantisbt/mantisbt/commit/edc8142bb8ac0ac0df1a3824d78c15f4015d959e
 https://github.com/mantisbt/mantisbt/commit/175d973105fe9f03a37ced537b742611631067e0
 http://xforce.iss.net/xforce/xfdb/76180
 http://www.openwall.com/lists/oss-security/2012/06/11/6
 http://www.openwall.com/lists/oss-security/2012/06/09/1
 http://www.mantisbt.org/bugs/view.php?id=14340
 http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
 http://secunia.com/advisories/49414
Description:
 The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11
 does not properly check privileges, which allows remote attackers with bug
 reporting privileges to edit arbitrary bugnotes via a SOAP request.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676783
 https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823
Priority: low
Discovered-by:
Assigned-to:
CVSS: 

Patches_mantis:
upstream_mantis: released (1.2.11-1)
hardy_mantis: ignored (reached end-of-life)
lucid_mantis: ignored (reached end-of-life)
natty_mantis: released (1.1.8+dfsg-10squeeze2build0.11.04.1)
oneiric_mantis: ignored (reached end-of-life)
precise_mantis: ignored (reached end-of-life)
precise/esm_mantis: DNE (precise was needed)
quantal_mantis: not-affected (1.2.11-1)
raring_mantis: not-affected (1.2.11-1)
saucy_mantis: not-affected (1.2.11-1)
trusty_mantis: DNE
trusty/esm_mantis: DNE
utopic_mantis: DNE
vivid_mantis: DNE
vivid/stable-phone-overlay_mantis: DNE
vivid/ubuntu-core_mantis: DNE
wily_mantis: DNE
xenial_mantis: DNE
yakkety_mantis: DNE
zesty_mantis: DNE
devel_mantis: DNE