CVE-2015-2142

Name of the Vulnerable Software and Affected Versions phpBugTracker versions prior to 1.7.0

Description The issue allows remote authenticated users to hijack the authentication of other users for various requests, including deleting data and causing unspecified impacts. This is achieved through multiple cross-site request forgery (CSRF) vulnerabilities. The affected API endpoints include "project.php" with the id parameter, "group.php" with the group id parameter, "status.php" with the status id parameter, "severity.php" with the severity id parameter, "priority.php" with the priority id parameter, "os.php" with the os id parameter, "database.php" with the database id parameter, and "sites.php" with the site id parameter.

Recommendations For versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "project.php", "group.php", "status.php", "severity.php", "priority.php", "os.php", "database.php", and "sites.php", to minimize the risk of exploitation. Additionally, avoid using the parameters id, group id, status id, severity id, priority id, os id, database id, and site id in the respective API endpoints until the issue is resolved.