CVE-2023-22476

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker versions prior to 2.25.6

Description The issue is caused by insufficient access-level checks, allowing any logged-in user who can perform Group Actions to access the Summary field of private Issues via a crafted bug arr[] parameter in bug actiongroup ext.php. This affects issues with Private view status or those belonging to a private Project.

Recommendations For versions prior to 2.25.6, update to version 2.25.6 to resolve the issue. As a temporary workaround, consider restricting access to the bug actiongroup ext.php file or limiting the ability to perform Group Actions until the update can be applied. Avoid using the crafted bug arr[] parameter in the affected API endpoint until the issue is resolved.