Due to insufficient access-level checks, any non-admin user having access to manage config columns page.php (typically project managers having MANAGER role) can use the Copy From action to retrieve the columns configuration from a private project they have no access to.

Access to the reverse operation ( Copy To ) is correctly controlled, i.e. it is not possible to alter the private project's configuration.

The vulnerability will be fixed in MantisBT version 2.27.2.

None

Thanks to d3vpoo1 for reporting the issue.