0036005: CVE-2025-55155: Lack of verification when changing a user's email address

ID	Project	Category	View Status	Date Submitted	Last Update
0036005	mantisbt	security	public	2025-05-24 11:40	2025-11-03 04:05

Reporter	ncrcs	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Target Version	2.27.2	Fixed in Version	2.27.2

Summary	0036005: CVE-2025-55155: Lack of verification when changing a user's email address
Description	While going through the product, I found that after an account is successfully created, user can change his email id. This new email id is not verified before the change and hence can result into severe consequences.
Steps To Reproduce	Steps to reproduce: Try creating a new account with an email. You will get the link in your email for verification. Now go to my account and change the email. You can see it successfully got changed without any verification.
Additional Information	I wish to be credited for this finding. Name: Chaitanya Reddy
Tags	No tags attached.

dregad 2025-05-25 08:08 developer ~0070295	Thanks for your report. You're absolutely right, we are missing email validation after change. I'm quite busy at the moment so I can't commit on when I'll be able to address the problem. Please bear with me. In the meanwhile, please let me know your GitHub user ID, so I can add you to the security advisory that I will be creating for this.

ncrcs 2025-05-25 10:34 reporter ~0070296	Thank you so much for confirming this issue. Github username: ncrcs

ncrcs 2025-06-17 05:51 reporter ~0070360	Hi Dregad, Is there any tentative timeline as to when this issue will be resolved? This will be my first ever CVE so just a bit impatient. Nothing else.

ncrcs 2025-08-08 05:29 reporter ~0070425	Hi Dregad, just checking to see any update on this issue.

dregad 2025-08-08 09:41 developer ~0070426	Apologies, I have been very busy May/June, and away for vacation most of July. Hoping to get to it soon.

ncrcs 2025-08-09 01:20 reporter ~0070427	No worries. And thanks for the update.

dregad 2025-08-09 11:26 developer ~0070428	I opened Security Advisory GHSA-q747-c74m-69pr. A CVE has been requested. Please let me know how you would like to be credited you for the finding.

vboctor 2025-08-10 14:51 manager ~0070429	@dregad I added my comments to the PR. Here is the high level summary: We should be more specific about the attack vectors (e.g. spaming a user vs. taking over, etc) We should be clear about scenarios where we verify vs. not. admin create/update of a user, user signup/update. Verification email should be sent to the new rather than old email address. There can be a copy email sent to the old email address. Sending email to the new email address is similar to the signup flow and handles the case where the user no longer has access to the old email. The update of a user's email address + verification should be doable via API and contained within the user update command.

dregad 2025-08-11 05:10 developer ~0070430	Verification email should be sent to the new rather than old email address. There can be a copy email sent to the old email address. Sending email to the new email address is similar to the signup flow and handles the case where the user no longer has access to the old email That was a mistake, now fixed in the PR. I have also added the CC to the old address. I'll look into the REST API bit.

dregad 2025-08-11 13:45 developer ~0070436	CVE-2025-55155 has been assigned.

MantisBT: master-2.27 bed58477 2025-08-10 12:50 dregad Details Diff	New print_email_not_unique_warning() function Removes code duplication in manage_user_edit_page.php and account_page.php. Issue 0036005	Affected Issues 0036005
	mod - account_page.php	Diff File
	mod - core/print_api.php	Diff File
	mod - manage_user_edit_page.php	Diff File
MantisBT: master-2.27 cd84c617 2025-08-10 12:59 dregad Details Diff	New function user_ensure_email_valid() Previously, user_set_email() was both validating and storing the new email. This allows performing the validation independently. user_set_email() calls the new function so current behavior remains unchanged. Issue 0036005	Affected Issues 0036005
	mod - core/user_api.php	Diff File
MantisBT: master-2.27 09840507 2025-08-10 13:11 dregad Details Diff	Validate email address after user changes it The new email address is temporarily stored in a Token, using a new type (TOKEN_ACCOUNT_CHANGE_EMAIL), and a confirmation email is sent to the user (new email_send_email_verification_url() function). string_get_confirm_hash_url() gets a new optional parameter ($p_page) to specify the target verification page. A new verify_email.php page allows the user to confirm that the address is valid, and update the account. New language strings to support the new functionality have been defined ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID error message has been modified to remove `Please signup again.`, making it more generic and allowing its reuse in the email verification context. Fixes 0036005, CVE-2025-55155	Affected Issues 0036005
	mod - account_update.php	Diff File
	mod - core/constant_inc.php	Diff File
	mod - core/email_api.php	Diff File
	mod - core/string_api.php	Diff File
	mod - lang/strings_english.txt	Diff File
	add - verify_email.php	Diff File
MantisBT: master-2.27 0d04eed6 2025-08-10 13:14 dregad Details Diff	Remove pending email if admin updates it If a user account has e pending TOKEN_ACCOUNT_CHANGE_EMAIL and an admin updates that user's email address, it effectively invalidates the earlier email change so we delete the token in this case. Issue 0036005	Affected Issues 0036005
	mod - core/commands/UserUpdateCommand.php	Diff File
MantisBT: master-2.27 547a6e18 2025-08-10 13:19 dregad Details Diff	Display pending email verification information On account_page.php, manage_user_page.php and manage_user_edit_page.php, we display a warning message to inform the user that the email address is pending user validation. Adds a new print_email_pending_verification_warning() function similar to print_email_not_unique_warning(). To efficiently process the list of user accounts in manage_user_page.php a new token_get_by_type() function allows retrieving a list of all tokens of a given type. Issue 0036005	Affected Issues 0036005
	mod - account_page.php	Diff File
	mod - core/print_api.php	Diff File
	mod - core/tokens_api.php	Diff File
	mod - manage_user_edit_page.php	Diff File
	mod - manage_user_page.php	Diff File
MantisBT: master-2.27 a0bc8c34 2025-08-11 02:32 dregad Details Diff	Send message to the new email address, CC the old Rename $t_email variable to $t_old_email, to avoid confusion. Fixes 0036005	Affected Issues 0036005
	mod - core/email_api.php	Diff File
MantisBT: master-2.27 371c830f 2025-08-24 06:33 dregad Details Diff	UserUpdateCommand: use user_ensure_email_valid() Avoid code duplication and ensure email is validated in the same way everywhere. Issue 0036005	Affected Issues 0036005
	mod - core/commands/UserUpdateCommand.php	Diff File
MantisBT: master-2.27 765fbd2a 2025-10-19 09:37 dregad Details Diff	Email validation hash not usable to reset password Since we use the same token to store the confirmation hash for all validation emails, we need to make sure that if it was generated for an email confirmation it cannot be used for a password reset, and vice versa. Fixes 0036005	Affected Issues 0036005
	mod - core/user_api.php	Diff File
	mod - verify.php	Diff File
MantisBT: master-2.27 bb8dd10b 2025-10-19 09:37 dregad Details Diff	Remove pending email when resetting password Issue 0036005	Affected Issues 0036005
	mod - lost_pwd.php	Diff File
MantisBT: master-2.27 0033f11c 2025-10-19 10:01 dregad Details Diff	Use 'realname' instead of 'real_name' for internal - `real_name` is used for end-user facing APIs (typically in REST and SOAP payloads or returned data). - `realname` is used internally in MantisBT core, because this is the actual column name in the user table. When updating a user, the Command is talking to the core api, so the data structure should use the internal name. Issue 0036005	Affected Issues 0036005
	mod - core/commands/UserUpdateCommand.php	Diff File
	mod - core/email_api.php	Diff File
MantisBT: master-2.27 e4ffb379 2025-10-19 11:00 dregad Details Diff	Handle email change in UserUpdateCommand The update_user() method now triggers the email validation process via TOKEN_ACCOUNT_CHANGE_EMAIL when it is changed by the user, replicating the behavior in account_page.php. This ensures consistent behavior between REST API and GUI. Fixes 0036005	Affected Issues 0036005
	mod - core/commands/UserUpdateCommand.php	Diff File
MantisBT: master-2.27 2b3e63e1 2025-10-19 11:13 dregad Details Diff	Get pending email address from REST API Adding `email_pending` to the list of fields in the select parameter from /users endpoints will return the new email address pending user validation, if there is one. Field is not selected by default. Issue 0036005	Affected Issues 0036005
	mod - api/soap/mc_account_api.php	Diff File
MantisBT: master-2.27 21e9fbed 2025-10-26 14:21 dregad Details Diff	Verify new email after email change Fixes 0036005, CVE-2025-55155, GHSA-q747-c74m-69pr	Affected Issues 0036005
	mod - account_page.php	Diff File
	mod - account_update.php	Diff File
	mod - api/soap/mc_account_api.php	Diff File
	mod - core/commands/UserUpdateCommand.php	Diff File
	mod - core/constant_inc.php	Diff File
	mod - core/email_api.php	Diff File
	mod - core/print_api.php	Diff File
	mod - core/string_api.php	Diff File
	mod - core/tokens_api.php	Diff File
	mod - core/user_api.php	Diff File
	mod - lang/strings_english.txt	Diff File
	mod - lost_pwd.php	Diff File
	mod - manage_user_edit_page.php	Diff File
	mod - manage_user_page.php	Diff File
	mod - verify.php	Diff File
	add - verify_email.php	Diff File

related to	0036509	confirmed		Account Update does not use UserUpdateCommand
related to	0036624	resolved	atrol	Changing email address is no longer possible

View Issue Details

Relationships

Activities

Related Changesets