CVE-2018-9839

Name of the Vulnerable Software and Affected Versions: MantisBT versions 1.3.14 and earlier, 2.0.0

Description: An issue was discovered in MantisBT where any user with REPORTER access or above can view any private issue's details, including summary, description, steps to reproduce, and additional information, when cloning it by using a crafted request on the "bug report page.php" endpoint and modifying the m id parameter. By checking the 'Copy issue notes' and 'Copy attachments' checkboxes and completing the clone operation, this data also becomes public, except for private notes.

Recommendations: For MantisBT versions 1.3.14 and earlier, consider restricting access to the "bug report page.php" endpoint until a patch is available. For MantisBT version 2.0.0, avoid using the m id parameter in the "bug report page.php" endpoint until the issue is resolved. As a temporary workaround, consider disabling the clone operation for private issues until a patch is available.