FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2012-2691

This CVE name corresponds to:

Entered Topic
2012-06-12 mantis -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2012-2691 at cve.mitre.org

Details

Type Candidate
Name CVE-2012-2691
Phase Assigned(20120514)

Description

The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request.

References

Source Reference
MLIST [oss-security] 20120609 CVE requests (x2) for Mantis Bug Tracker (MantisBT) before 1.2.11
MLIST [oss-security] 20120611 Re: CVE requests (x2) for Mantis Bug Tracker (MantisBT) before 1.2.11
CONFIRM http://www.mantisbt.org/bugs/changelog_page.php?version_id=148
CONFIRM http://www.mantisbt.org/bugs/view.php?id=14340
CONFIRM https://github.com/mantisbt/mantisbt/commit/175d973105fe9f03a37ced537b742611631067e0
CONFIRM https://github.com/mantisbt/mantisbt/commit/edc8142bb8ac0ac0df1a3824d78c15f4015d959e
FEDORA FEDORA-2012-18273
FEDORA FEDORA-2012-18294
FEDORA FEDORA-2012-18299
GENTOO GLSA-201211-01
BID 53907
BID 56467
SECUNIA 49414
SECUNIA 51199
XF mantisbt-soapapi-sec-bypass(76180)

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.