CVE-2024-34080

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 2.26.2

Description The issue affects MantisBT, an open source issue tracker, where an issue referencing a note from another issue that the user does not have access to becomes hyperlinked. Although clicking the link results in an access denied error, some information remains accessible via the link, link label, and tooltip. This can lead to the disclosure of the note's existence, the note author's name, the note creation timestamp, and the issue ID the note belongs to.

Recommendations For versions prior to 2.26.2, update to version 2.26.2 to resolve the issue. As a temporary workaround, consider restricting access to hyperlinked notes to minimize the risk of information disclosure.