View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0037065 | mantisbt | security | public | 2026-04-18 17:25 | 2026-07-15 08:07 |
| Reporter | ninjasec | Assigned To | dregad | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 2.28.1 | ||||
| Target Version | 2.28.4 | Fixed in Version | 2.28.4 | ||
| Summary | 0037065: CVE-2026-52882: REST and SOAP API Issue Update Accepts Unreleased Product Versions From Updaters | ||||
| Description | The REST issue-update endpoint From the MantisBT UI, unreleased versions are only available if the user has $g_report_issues_for_unreleased_versions_threshold (DEVELOPER by default). The same issue is also present from the SOAP API (see duplicate issue #37068 for details), since both APIs rely on mc_issue_update().. | ||||
| Steps To Reproduce | Control request: Observed form fragment:
REST request:
Observed response:
Observed response body excerpt: | ||||
| Additional Information | Severity: Type: Affected code: Why it happens:
And mc_issue_update() resolves the supplied version by existence only:
Impact: | ||||
| Tags | No tags attached. | ||||
|
Bug is confirmed. The problem is also present in bug_update.php - if the user sends a crafted request with an unreleased version, the bug is updated regardless of $g_report_issues_for_unreleased_versions_threshold. Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-3v2j-6fw9-f57c created, CVE request sent. |
|
|
PR for review https://github.com/mantisbt/mantisbt-private/pull/17 @ninjasec your feedback would be appreciated. |
|
|
CVE-2026-52882 assigned (on 09-Jun-2026). |
|
|
MantisBT: master-2.28 6b248809 2026-05-30 09:22 Details Diff |
New version_is_released() API function Also added VersionData::is_released() method. Issue 0037065 |
Affected Issues 0037065 |
|
| mod - core/version_api.php | Diff File | ||
|
MantisBT: master-2.28 016f1055 2026-05-30 09:29 Details Diff |
Prevent unauthorized update of `version` field Users below report_issues_for_unreleased_versions_threshold should not be allowed to set an Issue's product version to an unreleased one. Added the necessary access check to prevent that. Fixes 0037065, GHSA-3v2j-6fw9-f57c |
Affected Issues 0037065 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
|
MantisBT: master-2.28 0ac87c39 2026-05-30 09:35 Details Diff |
Prevent unauthorized update of `version` field (2) Users below report_issues_for_unreleased_versions_threshold should not be allowed to set an Issue's product version to an unreleased one. This addresses the problem in the MantisBT UI - users could send a crafted request to bug_report.php or bug_update.php Added the necessary access checks to prevent that. Fixes 0037065, GHSA-3v2j-6fw9-f57c |
Affected Issues 0037065 |
|
| mod - bug_update.php | Diff File | ||
| mod - core/commands/IssueAddCommand.php | Diff File | ||
|
MantisBT: master-2.28 17072d4c 2026-06-27 12:50 Details Diff |
Prevent unauthorized update of version field Fixes 0037065, CVE-2026-52882 |
Affected Issues 0037065 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
| mod - bug_update.php | Diff File | ||
| mod - core/commands/IssueAddCommand.php | Diff File | ||
| mod - core/version_api.php | Diff File | ||