PT-2020-17005 · Mantisbt · Mantisbt

Published

2020-12-30

Updated

2022-05-24

CVE-2020-28413

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions MantisBT version 2.24.3

Description The issue is related to SQL Injection that can occur in the access parameter of the mc project get users function through the API SOAP.

Recommendations For MantisBT version 2.24.3, consider disabling the mc project get users function or restricting access to the API SOAP endpoint until a patch is available. Avoid using the access parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-28413

GHSA-49W9-82CJ-XR48

Affected Products

Mantisbt

PT-2020-17005 · Mantisbt · Mantisbt

CVE-2020-28413

Weakness Enumeration

Related Identifiers

Affected Products

References · 10