CVE-2020-29604

Name of the Vulnerable Software and Affected Versions: MantisBT versions prior to 2.24.4

Description: An issue in MantisBT allows an attacker with rights to create new issues to use the COPY group action to create a clone of any private issue, including all bugnotes and attachments, via the bug arr[] parameter in bug actiongroup.php. This provides full access to potentially confidential information.

Recommendations: For versions prior to 2.24.4, update to version 2.24.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the bug actiongroup.php file or disabling the COPY group action to minimize the risk of exploitation.