View Issue Details

IDProjectCategoryView StatusLast Update
0031086mantisbtsecuritypublic2023-02-22 19:23
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.25.5 
Target Version2.25.6Fixed in Version2.25.6 
Summary0031086: CVE-2023-22476: Private issue summary disclosure

Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary field of private Issues (i.e. having Private view status, or belonging to a private Project) via a crafted bug_arr[] parameter in bug_actiongroup_ext.php.

GitHub security advisory

Steps To Reproduce
  1. As normal user submit 2 public issues
  2. Go to view_all_bug_page.php
  3. Select all of the issue and use the attach tags
  4. Open proxy
  5. Modify the id using the private issue id (on my case I will use the id of 1), then off the proxy
  6. This will redirect to bug_actiongroup_page.php
  7. Turn on again the proxy and click the attach tags, modify again the value of bug_arr with the private id
  8. This will redirect to bug_actiongroup_ext.php and this will display the summary of the private issue
Additional Information

Original report:
Hi, it's been a while. I checked the endpoints that I tested before, and the endpoint /mantisbt/bug_actiongroup_page.php allows the attacker to disclose the summary of a private issue. I use the attach_tags and modify the bug_arr using the private issue id

TagsNo tags attached.
Attached Files
1.png (39,504 bytes)   
1.png (39,504 bytes)   
2.png (91,148 bytes)   
2.png (91,148 bytes)   


related to 0027727 closeddregad CVE-2020-29605: Disclosure of private issue summary 




2023-01-06 10:19

reporter   ~0067263

Hi team,

Checking for any possible update regarding this issue.




2023-01-06 10:58

developer   ~0067264

Sorry, that completely fell off the radar... The end of 2022 has been hectic. Thanks for the reminder, I will look into it.



2023-01-06 19:32

developer   ~0067271

Vulnerability is confirmed.



2023-01-06 20:11

developer   ~0067272

Trying something new, requesting a CVE via GitHub advisories instead of asking MITRE.



2023-01-06 20:29

developer   ~0067273

@d3vpoo1 you should now have access to the private temporary repository linked to the advisory

Your feedback on the proposed patch would be appreciated (this is pretty much the same fix as 0027727)



2023-01-08 11:16

developer   ~0067276

CVE-2023-22476 assigned



2023-01-09 06:00

reporter   ~0067277

Thank you team



2023-02-22 02:42

developer   ~0067411

Sorry for the delay in releasing this, I've been busy. Planning to cut the release today.

Related Changesets

MantisBT: master-2.25 840a4e80

2023-01-06 20:16


Details Diff
Prevent disclosure of private issue summary

Insufficient access level checks allowed an attacker to display private
issues' summary via Group Actions (bug_actiongroup_ext.php).

Going through the provided list of issue IDs (bug_arr[]) and removing
any issues the user does not have access to, fixes the vulnerability.

Credits to d3vpoo1 ( for reporting the issue.

Fixes 0031086, CVE-2023-22476
Affected Issues
mod - bug_actiongroup_ext.php Diff File