CVE Reference: CVE-2012-2692

NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE:
CVE-2012-2692

Description:
MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments.

CVE Status:
Candidate

References:

SAID
  Secunia Advisory: SA51199

MLIST
  http://www.openwall.com/lists/oss-security/2012/06/11/6
  http://www.openwall.com/lists/oss-security/2012/06/09/1

GENTOO
  http://security.gentoo.org/glsa/glsa-201211-01.xml

FEDORA
  http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html
  http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html
  http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html

CONFIRM
  http://www.mantisbt.org/bugs/view.php?id=14016
  http://www.mantisbt.org/bugs/changelog_page.php?version_id=148

BID
  53921


Return to the previous page.