Shukla304

**Name of the Vulnerable Software and Affected Versions** Mantis Bug Tracker (MantisBT) versions prior to 2.28.2 **Description** A bugnote author can access the Revisions page of a note even after losing access to the parent private issue. This leads to the disclosure of the private issue's ID and summary, although the full revision body of the bugnote remains secure. **Recommendations** Update to version 2.28.2.

**Name of the Vulnerable Software and Affected Versions** Mantis Bug Tracker (MantisBT) versions prior to 2.28.2 **Description** An authenticated user can upload attachments to private issues that they are not authorized to access. **Recommendations** Update to version 2.28.2.

**Name of the Vulnerable Software and Affected Versions** Wagtail versions prior to 7.0.7 Wagtail versions prior to 7.3.2 **Description** A CMS user with limited access to form pages can delete submissions for pages they are not authorized to access. This is achieved by crafting a form submission to delete entries on a page they can access, but targeting submissions from pages they cannot. This issue is not exploitable by ordinary site visitors who lack access to the Wagtail admin. **Recommendations** Update to version 7.0.7. Update to version 7.3.2. Update to version 7.4 LTS.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.214 **Description** The backend `conversation change customer` action fails to properly validate the `customer email` variable. While the Change Customer modal filters out-of-scope customers via the mailbox-filtered search endpoint, a low-privileged agent can forge a request to bind a visible conversation to a hidden customer in another mailbox. **Recommendations** Update to version 1.8.214.

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.212 Description FreeScout, a help desk and shared inbox built with PHP's Laravel framework, does not properly consider the `limit user customer visibility` parameter when merging customers in versions prior to 1.8.212. Recommendations Update to version 1.8.212 or later.

**Name of the Vulnerable Software and Affected Versions** Mantis Bug Tracker versions prior to 2.28.1 **Description** Mantis Bug Tracker is an open source issue tracker. A flaw exists in version 2.28.0 where improper escaping of a tag name during the display of a confirmation message when deleting a tag (via the `tag delete.php` script) allows an attacker to inject HTML. If Content Security Policy (CSP) settings permit, this can lead to the execution of arbitrary JavaScript. The vulnerable parameter is the tag name displayed in the confirmation message. **Recommendations** Upgrade to Mantis Bug Tracker version 2.28.1 or later. As a temporary workaround, revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9. As a temporary workaround, manually edit language files to remove the `sprintf` placeholder `%1$s` from the `$s tag delete message` string.

**Name of the Vulnerable Software and Affected Versions** Mantis Bug Tracker versions prior to 2.28.1 **Description** Mantis Bug Tracker version 2.28.0 contains a flaw due to improper escaping of tag names retrieved from History in the Timeline feature, specifically within the `my view page.php` file. This allows an attacker to inject HTML code. If Content Security Policy (CSP) settings allow, this can lead to the execution of arbitrary JavaScript when displaying a tag that has been renamed or deleted. The vulnerable variable is `$this->tag name` within the `IssueTagTimelineEvent::html()` function. **Recommendations** Update to Mantis Bug Tracker version 2.28.1 or later. As a workaround, edit the offending History entries using SQL. As a workaround, wrap `$this->tag name` in a `string html specialchars()` call within the `IssueTagTimelineEvent::html()` function.