View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0037200 | mantisbt | security | public | 2026-05-27 22:07 | 2026-07-15 08:07 |
| Reporter | byteoverride | Assigned To | dregad | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Target Version | 2.28.4 | Fixed in Version | 2.28.4 | ||
| Summary | 0037200: CVE-2026-52883: Injection of TIME_TRACKING and REMINDER Notes via REST and SOAP APIs | ||||
| Description | Unvalidated note_type Parameter in mc_issue_update SOAP Endpoint Allows Injection of TIME_TRACKING and REMINDER Notes. REST API also allows injection of TIME_TRACKING notes (but not REMINDER). Any authenticated user who can update an issue via the SOAP API can inject arbitrary EDIT (dregad): original report added to trigger email notifications to arbitrary users at the end of the previous paragraph, but this is in fact not true. This has been confirmed by the reporter, see 0037200:0071202. Vulnerability DetailsType: Improper Input Validation (CWE-20) Affected File: Vulnerable code at lines 1224-1227:
The MantisBT constants for reference:
| ||||
| Steps To Reproduce | Steps to ReproduceEnvironment: MantisBT 2.29.0-dev, PHP 8.3, MariaDB 11.8 Accounts used:
Step 1: Verify no TIME_TRACKING notes exist
Step 2: Inject TIME_TRACKING note via SOAP
Expected behavior: SOAP fault indicating the user does not have permission to create TIME_TRACKING notes. Actual behavior: Returns Step 3: Verify TIME_TRACKING note was injected
A TIME_TRACKING note with 1 hour of billable time was injected into issue 0000001 by testuser. This entry will appear in billing and time tracking reports. | ||||
| Additional Information | ImpactAn attacker with UPDATER access can:
EDIT (dregad): removed email notifications as impact, see 0037200:0071202. The Recommended FixValidate
Alternatively, route all note creation through Affected VersionsMantisBT 2.29.0-dev (current develop branch). The | ||||
| Tags | No tags attached. | ||||
|
Thanks for the report, I'll look into it. |
|
|
This vulnerability has already been identified back in April by another researcher (@ninjasec), who reported it against the REST API, but in fact it's the same issue as REST relies on the same mc_issue_update() function. Since this report is much clearer, against our usual practice I'll mark the older Issue #37081 as duplicate. Credits will be shared. I can reproduce the problem and therefore confirm the vulnerability, although the provided steps to reproduce are incorrect (duration is set to zero). Here is a SOAP payload that does add time:
It's also worth mentioning that with SOAP, the user must have $g_time_tracking_view_threshold otherwise even though a TIME_TRACKING note will indeed be created, the actual duration will be set to 0. With REST: |
|
|
As far as I can tell, adding a REMINDER note like this does NOT trigger email notifications, as bugnote_add() is called with $p_send_email parameter set to false. If you actually managed to do it, I'd like to know how. |
|
|
Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4vpf-w7qv-5h3q created and CVE request sent. @byteoverride please indicate how you would like to be credited for the finding. |
|
|
You're right that my PoC had the duration effectively at zero. I set note_attr to 01:00 but didn't include the time_tracking field properly. The core vulnerability (unauthorized note_type injection REMINDER email notifications: I reviewed the code again and you're correct. On line 1227 of mc_issue_api.php, bugnote_add() is called with $p_send_email explicitly set to false in the mc_issue_update path. I |
|
|
PR for review: https://github.com/mantisbt/mantisbt-ghsa-4vpf-w7qv-5h3q/pull/1 |
|
|
CVE-2026-52883 assigned (on 09-Jun-2026). |
|
|
MantisBT: master-2.28 de2f71fd 2026-05-30 13:09 Details Diff |
Use IssueNoteAddCommand from mc_issue_update() Using the Command to add notes instead of calling bugnote_add() ensures consistent behavior. It also prevents unauthorized, low-privilege users from submitting TIME_TRACKING notes with arbitrary duration via SOAP and REST API, or REMINDER notes (SOAP only). Fixes 0037200, GHSA-4vpf-w7qv-5h3q |
Affected Issues 0037200 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
|
MantisBT: master-2.28 983310cd 2026-05-30 13:09 Details Diff |
Use IssueNoteAddCommand from mc_issue_update() Using the Command to add notes instead of calling bugnote_add() ensures consistent behavior. It also prevents unauthorized, low-privilege users from submitting TIME_TRACKING notes with arbitrary duration via SOAP and REST API, or REMINDER notes (SOAP only). Fixes 0037200, GHSA-4vpf-w7qv-5h3q |
Affected Issues 0037200 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
|
MantisBT: master-2.28 6eecc70a 2026-05-30 17:52 Details Diff |
Fix broken PHPUnit tests - Incorrect assignment of time_tracking duration in mc_issue_update() - Adapt IssueUpdateTest::testUpdateWithNewNote() Adding a TIME_TRACKING note (type 2) with note_attr makes no sense as the latter is only used for REMINDER notes. TIME_TRACKING requires a duration, which is set with `time_tracking` attribute. Fixes 0037200 |
Affected Issues 0037200 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
| mod - tests/soap/IssueUpdateTest.php | Diff File | ||
|
MantisBT: master-2.28 667e0640 2026-05-30 17:52 Details Diff |
Fix broken PHPUnit tests - Incorrect assignment of time_tracking duration in mc_issue_update() - Adapt IssueUpdateTest::testUpdateWithNewNote() Adding a TIME_TRACKING note (type 2) with note_attr makes no sense as the latter is only used for REMINDER notes. TIME_TRACKING requires a duration, which is set with `time_tracking` attribute. Fixes 0037200 |
Affected Issues 0037200 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
| mod - tests/soap/IssueUpdateTest.php | Diff File | ||
|
MantisBT: master-2.28 7a52a683 2026-05-30 18:21 Details Diff |
Improve IssueUpdateTest testUpdateWithTimeTrackingNote() is taking care of testing adding notes with TIME_TRACKING type, so it is not needed in testUpdateWithNewNote(). testUpdateWithNewNote() now only deals with regular BUGNOTE type. A test for adding a new note without re-posting the previous contents has been added. Adding a new test case testUpdateWithReminderNote() for REMINDER notes. Issue 0037200 |
Affected Issues 0037200 |
|
| mod - tests/soap/IssueUpdateTest.php | Diff File | ||
|
MantisBT: master-2.28 63c4d4f4 2026-06-27 13:00 Details Diff |
Prevent special bugnotes injection via REST & SOAP Special bugnotes = TIME_TRACKING and REMINDER. Fixes 0037200, CVE-2026-52883 |
Affected Issues 0037200 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
| mod - tests/soap/IssueUpdateTest.php | Diff File | ||