D3Vpoo1

**Name of the Vulnerable Software and Affected Versions** Mantis Bug Tracker versions prior to 2.25.6 **Description** The issue is caused by insufficient access-level checks, allowing any logged-in user who can perform Group Actions to access the Summary field of private Issues via a crafted `bug arr[]` parameter in *bug actiongroup ext.php*. This affects issues with Private view status or those belonging to a private Project. **Recommendations** For versions prior to 2.25.6, update to version 2.25.6 to resolve the issue. As a temporary workaround, consider restricting access to the *bug actiongroup ext.php* file or limiting the ability to perform Group Actions until the update can be applied. Avoid using the crafted `bug arr[]` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: MantisBT versions prior to 2.24.4 Description: The issue allows any unprivileged logged-in user to retrieve Private Projects' names via the `project id` parameter in the "manage proj edit page.php" page, without having access to them. Recommendations: For versions prior to 2.24.4, update to version 2.24.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "manage proj edit page.php" page to minimize the risk of exploitation. Avoid using the `project id` parameter in the affected page until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: MantisBT versions prior to 2.24.4 Description: An issue in MantisBT allows an attacker with rights to create new issues to use the COPY group action to create a clone of any private issue, including all bugnotes and attachments, via the `bug arr[]` parameter in bug actiongroup.php. This provides full access to potentially confidential information. Recommendations: For versions prior to 2.24.4, update to version 2.24.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the bug actiongroup.php file or disabling the COPY group action to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MantisBT versions prior to 2.24.4 Description: An issue was discovered due to insufficient access-level checks, allowing any logged-in user who can perform Group Actions to access the Summary fields of private Issues via `bug arr[]` in a crafted `bug actiongroup page.php` URL. The target Issues can have Private view status or belong to a private Project. Recommendations: For versions prior to 2.24.4, update to version 2.24.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `bug actiongroup page.php` URL or limiting the ability to perform Group Actions to trusted users until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 2.24.4 **Description** An issue in MantisBT allows an unprivileged attacker to view the Summary field of private issues and bugnotes revisions, potentially gaining access to confidential information. This is achieved via the `bugnote id` parameter in the bug revision view page.php file. **Recommendations** For versions prior to 2.24.4, update to version 2.24.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the bug revision view page.php file to minimize the risk of exploitation. Avoid using the `bugnote id` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 2.24.3 **Description** An issue was discovered that allows an attacker to inject HTML and, if Content Security Policy (CSP) settings permit, achieve execution of arbitrary JavaScript when attempting to update a custom field via the `bug actiongroup page.php` endpoint. The issue is due to improper escaping of a custom field's name. **Recommendations** For versions prior to 2.24.3, update to version 2.24.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `bug actiongroup page.php` endpoint to minimize the risk of exploitation. Additionally, review and adjust CSP settings to prevent the execution of arbitrary JavaScript.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 2.24.3 **Description** An issue was discovered that allows HTML injection and potentially the execution of arbitrary JavaScript when editing an issue in a project with a custom field that has a crafted regular expression property. This occurs due to improper escaping of the corresponding form input's pattern attribute. **Recommendations** For versions prior to 2.24.3, update to version 2.24.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of custom fields with regular expression properties until the update is applied.