View Issue Details

IDProjectCategoryView StatusLast Update
0027726mantisbtsecuritypublic2020-12-30 07:37
Reporterd3vpoo1 Assigned Todregad  
Status closedResolutionfixed 
Target Version2.24.4Fixed in Version2.24.4 
Summary0027726: CVE-2020-29603: Disclosure of private project name

Any logged-in MantisBT user can retrieve Private Projects' names, without having access to them.

Steps To Reproduce
  1. Go to
  2. Get an Access Denied error
  3. Look at the Navbar's Project selector, showing the private project's name (see attached screenshot)
Additional Information

This vulnerability was originally reported by @d3vpoo1 in 0027357.

TagsNo tags attached.
Attached Files
ksnip_20201207-192050.png (42,156 bytes)   
ksnip_20201207-192050.png (42,156 bytes)   


child of 0027357 closeddregad Attacker can leak private information via different functionality 




2020-12-07 17:59

developer   ~0064771

Last edited: 2020-12-07 18:02

CVE Request 997513 for CVE ID Request -- CVE-2020-29603 assigned

Related Changesets

MantisBT: master cff10f26

2020-12-06 07:39


Details Diff
Avoid private project name disclosure

When an unprivileged user tries to access a private project via
manage_proj_edit_page.php, they receive an Access Denied as expected,
but the project's name is leaked via the navbar's project selector.

Credits to d3vpoo1 ( for reporting and
providing an initial patch for this bug.

Fixes 0027726, 0027357, CVE-2020-29603
Affected Issues
0027357, 0027726
mod - core/layout_api.php Diff File