PT-2026-60370 · Packagist · Mantisbt/Mantisbt

CVE-2026-52883

·

Publicado

2026-07-15

·

Atualizado

2026-07-15

CVSS v4.0

5.3

Média

VetorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Unvalidated note type Parameter in mc issue update SOAP Endpoint Allows creation of TIME TRACKING and REMINDER Notes. The SOAP path passes the user-supplied note type integer directly to bugnote add() without validating that the user is authorized to create that type of note. If the user's access level is higher than $g time tracking view threshold, they can also inject arbitrary hours into billing reports.
REST API also allows injection of TIME TRACKING notes (but not REMINDER) through the same mc issue update() function.

Impact

An attacker with UPDATER access could:
  • Inject fake billable hours via TIME TRACKING notes (note type=2), corrupting billing data exported through MantisBT's billing reports. Organizations that bill clients based on MantisBT time tracking data would generate incorrect invoices, and corrupt time tracking reports could be used to drive project management decisions.
  • Fake REMINDER notes registered (but without actual sending of notifications).

Patches

Workarounds

None

Resources

Credits

Thanks to the following security researchers for discovering and responsibly reporting the issue
  • Vishal Shukla
  • Psalms Christopher Matovu (@byteoverride)

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-52883
GHSA-4VPF-W7QV-5H3Q

Produtos afetados

Mantisbt/Mantisbt