CVE-2024-34080 MEDIUM

CVE-2024-34080: MantisBT Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Vendor Mantisbt

Product mantisbt

Weakness CWE-200 · Info exposure

Published May 13, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

MantisBT (Mantis Bug Tracker) is an open source issue tracker. If an issue references a note that belongs to another issue that the user doesn't have access to, then it gets hyperlinked. Clicking on the link gives an access denied error as expected, yet some information remains available via the link, link label, and tooltip. This can result in disclosure of the existence of the note, the note author name, the note creation timestamp, and the issue id the note belongs to. Version 2.26.2 contains a patch for the issue. No known workarounds are available.

Key dates

02Disclosure timeline

May 13, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-34080 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2024-34080: MantisBT Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

01Description

02Disclosure timeline

03References

04Related CVE