CVE-2008-4688
published 2008-10-22CVE-2008-4688: core/string_api.php in Mantis before 1.1.3 does not check the privileges of the viewer before composing a link with issue data in the source anchor, which…
PriorityP430medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
11.71%
95.5th percentile
core/string_api.php in Mantis before 1.1.3 does not check the privileges of the viewer before composing a link with issue data in the source anchor, which allows remote attackers to discover an issue's title and status via a request with a modified issue number.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mantis | mantis | <= 1.1.3 | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mantis: bug title and status leak to unauthorized users
vendor_redhat·CVSS 5.0
CVE-2008-4688 [MEDIUM] mantis: bug title and status leak to unauthorized users
mantis: bug title and status leak to unauthorized users
core/string_api.php in Mantis before 1.1.3 does not check the privileges of the viewer before composing a link with issue data in the source anchor, which allows remote attackers to discover an issue's title and status via a request with a modified issue number.
GHSA
GHSA-938w-vx4g-p5w6: core/string_api
ghsa_unreviewed·2022-05-17
CVE-2008-4688 [MEDIUM] CWE-200 GHSA-938w-vx4g-p5w6: core/string_api
core/string_api.php in Mantis before 1.1.3 does not check the privileges of the viewer before composing a link with issue data in the source anchor, which allows remote attackers to discover an issue's title and status via a request with a modified issue number.
No detection rules found.
No public exploits indexed.
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/string_api.php?r1=5285&r2=5384&pathrev=5384http://secunia.com/advisories/32243http://secunia.com/advisories/32975http://www.gentoo.org/security/en/glsa/glsa-200812-07.xmlhttp://www.mantisbt.org/bugs/changelog_page.phphttp://www.mantisbt.org/bugs/view.php?id=9321http://www.openwall.com/lists/oss-security/2008/10/20/1http://www.securityfocus.com/bid/31868http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/string_api.php?r1=5285&r2=5384&pathrev=5384http://secunia.com/advisories/32243http://secunia.com/advisories/32975http://www.gentoo.org/security/en/glsa/glsa-200812-07.xmlhttp://www.mantisbt.org/bugs/changelog_page.phphttp://www.mantisbt.org/bugs/view.php?id=9321http://www.openwall.com/lists/oss-security/2008/10/20/1http://www.securityfocus.com/bid/31868
2008-10-22
Published