Alex91Ar

**Name of the Vulnerable Software and Affected Versions** MantisBT versions 1.2.0a3 through 1.2.18 **Description** The issue arises from an incorrect regular expression used in the `string sanitize url` function, allowing remote attackers to conduct open redirect and phishing attacks. This can be achieved by providing a URL with a `:/` (colon slash) separator in the `return` parameter to `login page.php`. **Recommendations** For MantisBT versions 1.2.0a3 through 1.2.18, consider updating to a version that fixes the incorrect regular expression in the `string sanitize url` function. As a temporary workaround, restrict access to the `login page.php` endpoint to minimize the risk of exploitation. Avoid using the `return` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.2.18 **Description** The issue allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a `public key` parameter value. This is demonstrated by the `public key` value 0. **Recommendations** For versions prior to 1.2.18, update to version 1.2.18 or later to resolve the issue. As a temporary workaround, consider restricting access to the CAPTCHA mechanism until the update is applied.