View Issue Details

IDProjectCategoryView StatusLast Update
0008995mantisbtsecuritypublic2008-05-08 21:56
ReporterthraxispAssigned Tothraxisp 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Versiongit trunk 
Target Version1.2.0a1Fixed in Version1.2.0a1 
Summary0008995: CSRF Vulnerabilities in user_create

Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities

Name Multiple Vulnerabilities in Mantis
Systems Affected Mantis 1.1.1 and possibly earlier versions
Impact (CVSSv2) (, vector: )
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
B) CSRF Vulnerabilities

There is a Cross Site Requst Forgery vulnerability in the software. If a logged in user with administrator privileges clicks on the following url:

a new user 'foo' with administrator privileges is created. The password of the new user is sent to

TagsNo tags attached.


child of 0008975 closedjreese CSRF Vulnerabilities in user_create 




2008-03-22 22:09

reporter   ~0017439

submitted to SVN r5132

Action pages are now qualified by checking for a POST command.

Issue History

Date Modified Username Field Change
2008-03-22 22:01 thraxisp New Issue
2008-03-22 22:01 thraxisp Status new => assigned
2008-03-22 22:01 thraxisp Assigned To => thraxisp
2008-03-22 22:01 thraxisp Issue generated from: 0008975
2008-03-22 22:01 thraxisp Relationship added child of 0008975
2008-03-22 22:09 thraxisp Status assigned => resolved
2008-03-22 22:09 thraxisp Fixed in Version => 1.2.0
2008-03-22 22:09 thraxisp Resolution open => fixed
2008-03-22 22:09 thraxisp Note Added: 0017439
2008-04-19 04:10 vboctor Status resolved => closed
2008-05-08 21:56 thraxisp View Status private => public