CVE-2014-8988

Published: 24 November 2014

MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.

Priority

Status

Package	Release	Status
mantis Launchpad, Ubuntu, Debian	lucid	Ignored (end of life)
	precise	Ignored (end of life)
	trusty	Does not exist
	upstream	Needed
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist

References

http://github.com/mantisbt/mantisbt/commit/5f0b150b
http://www.mantisbt.org/bugs/view.php?id=17742
https://www.cve.org/CVERecord?id=CVE-2014-8988
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.