CVE-2015-5059

Name of the Vulnerable Software and Affected Versions MantisBT versions 1.2.19 and earlier

Description The issue allows remote authenticated users to download attachments linked to arbitrary private projects. This is possible when the threshold to access files is set to ANYBODY. The file id parameter in the "file download.php" endpoint is used to exploit this issue.

Recommendations For MantisBT versions 1.2.19 and earlier, consider restricting access to the file download.php endpoint until a fix is available. As a temporary workaround, change the $g view proj doc threshold setting to a value other than ANYBODY to minimize the risk of exploitation.