PT-2026-60370 · Packagist · Mantisbt/Mantisbt
CVE-2026-52883
·
Publicado
2026-07-15
·
Atualizado
2026-07-15
CVSS v4.0
5.3
Média
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Unvalidated note type Parameter in mc issue update SOAP Endpoint Allows creation of TIME TRACKING and REMINDER Notes. The SOAP path passes the user-supplied note type integer directly to bugnote add() without validating that the user is authorized to create that type of note. If the user's access level is higher than $g time tracking view threshold, they can also inject arbitrary hours into billing reports.
REST API also allows injection of TIME TRACKING notes (but not REMINDER) through the same mc issue update() function.
Impact
An attacker with UPDATER access could:
- Inject fake billable hours via TIME TRACKING notes (note type=2), corrupting billing data exported through MantisBT's billing reports. Organizations that bill clients based on MantisBT time tracking data would generate incorrect invoices, and corrupt time tracking reports could be used to drive project management decisions.
- Fake REMINDER notes registered (but without actual sending of notifications).
Patches
Workarounds
None
Resources
Credits
Thanks to the following security researchers for discovering and responsibly reporting the issue
- Vishal Shukla
- Psalms Christopher Matovu (@byteoverride)
Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Mantisbt/Mantisbt