CVE-2020-29605

Name of the Vulnerable Software and Affected Versions: MantisBT versions prior to 2.24.4

Description: An issue was discovered due to insufficient access-level checks, allowing any logged-in user who can perform Group Actions to access the Summary fields of private Issues via bug arr[] in a crafted bug actiongroup page.php URL. The target Issues can have Private view status or belong to a private Project.

Recommendations: For versions prior to 2.24.4, update to version 2.24.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the bug actiongroup page.php URL or limiting the ability to perform Group Actions to trusted users until a patch is applied.