CVE-2020-36192

Name of the Vulnerable Software and Affected Versions: MantisBT Source Integration plugin versions prior to 2.4.1

Description: An issue allows an attacker to gain access to the Summary field of private Issues, either marked as Private or part of a private Project, if they are attached to an existing Changeset. The information is visible on the "view.php" page and the "list.php" page, in a pop-up on the Affected Issues id hyperlink. If the attacker has "Update threshold" in the plugin's configuration, they can link any Issue to a Changeset by entering the Issue's id, even if they do not have access to it.

Recommendations: For versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "view.php" and "list.php" pages, or disabling the "Update threshold" feature in the plugin's configuration to minimize the risk of exploitation.