DSA-2500-1 mantis -- severalID: oval:org.secpod.oval:def:600836 | Date: (C)2012-06-29 (M)2022-10-10 |
Class: PATCH | Family: unix |
Several vulnerabilities were discovered in Mantis, am issue tracking system. CVE-2012-1118 Mantis installation in which the private_bug_view_threshold configuration option has been set to an array value do not properly enforce bug viewing restrictions. CVE-2012-1119 Copy/clone bug report actions fail to leave an audit trail. CVE-2012-1120 The delete_bug_threshold/bugnote_allow_user_edit_delete access check can be bypassed by users who have write access to the SOAP API. CVE-2012-1122 Mantis performed access checks incorrectly when moving bugs between projects. CVE-2012-1123 A SOAP client sending a null password field can authenticate as the Mantis administrator. CVE-2012-2692 Mantis does not check the delete_attachments_threshold permission when a user attempts to delete an attachment from an issue.