View Issue Details

IDProjectCategoryView StatusLast Update
0022737mantisbtsecuritypublic2020-12-30 09:14
Reporterj_schultz Assigned Todregad  
PriorityurgentSeverityblockReproducibilityN/A
Status closedResolutionno change required 
Product Version2.3.0 
Summary0022737: CVE-2017-7615 bugfix needs to be made public as soon as possible
Description

My issue tracker running Mantis 2.3.0 was apparently attacked merely two hours after the issue was made semi-public on the security update miling list for Mantis. There is no point in keeping this information "confidential" anymore as instructed in the mail, it is already public knowledge by attackers. For instance, on my installation, the admin account was reset and all issues were deleted - not a big deal since I got backups, but still very annoying and other people might be worse off.
An official update should be released not just "soon" as written in the mail but as quickly as possible, available to everyone, including those not subscribed to the mailing list.

TagsNo tags attached.

Relationships

related to 0022690 closeddregad CVE-2017-7615: Account verification page allows resetting any user's password 

Activities

dregad

dregad

2017-04-16 13:10

developer   ~0056583

Sorry about the inconvenience.