MantisBT may expose private issues' summaries to unauthorized users

Impact

Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary field of private Issues (i.e. having Private view status, or belonging to a private Project) via a crafted bug_arr[] parameter in bug_actiongroup_ext.php.

Patches

The vulnerability has been fixed in MantisBT version 2.25.6.

Workarounds

None

Credits

Thanks to d3vpoo1 for reporting the issue.

References

• https://mantisbt.org/bugs/view.php?id=31086