cbcvebase.
CVE-2017-7615
published 2017-04-16

CVE-2017-7615: MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.

PriorityP181high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
90.86%
99.8th percentile
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.

Affected

4 ranges
VendorProductVersion rangeFixed in
mantisbtmantisbt<= 2.3.0
mantisbtmantisbt>= 1.3.0-rc.2 < 1.3.101.3.10
mantisbtmantisbt>= 2.0.0 < 2.2.42.2.4
mantisbtmantisbt>= 2.3.0 < 2.3.12.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/verify.php?id=1&confirm_hash=
path/verify.php
path/account_update.php
path/workflow_graph_img.php
path/adm_config_report.php
path/adm_config_set.php
url{{BaseURL}}/verify.php?id=1&confirm_hash=
url{{BaseURL}}/mantis/verify.php?id=1&confirm_hash=
url{{BaseURL}}/mantisBT/verify.php?id=1&confirm_hash=
url{{BaseURL}}/mantisbt-2.3.0/verify.php?id=1&confirm_hash=
url{{BaseURL}}/bugs/verify.php?confirm_hash=&id=1
otherhttp.favicon.hash:662709064
othericon_hash=662709064
otherconfig_option=dot_tool
otherconfig_option=relationship_graph_enable
  • Detect exploit attempts by monitoring HTTP GET requests to verify.php with an empty confirm_hash parameter (confirm_hash=), which bypasses the hash comparison check at verify.php line 66.
  • Look for the presence of account_update_token in HTTP responses to verify.php, followed by a POST to account_update.php — this two-step sequence is the core exploit flow.
  • Match HTTP response body for the hidden account_update_token field as a confirmation of successful exploit trigger.
  • Flag unauthenticated POST requests to account_update.php containing verify_user_id and account_update_token fields, indicating a password hijack attempt.
  • For the chained RCE variant (CVE-2017-7615 + CVE-2019-15715), detect POST requests to adm_config_set.php creating dot_tool or relationship_graph_enable config options from unauthenticated or newly-hijacked sessions.
  • Use the Shodan favicon hash 662709064 or FOFA icon_hash=662709064 to identify internet-exposed MantisBT instances for proactive scanning.
  • ·The vulnerability only affects MantisBT versions >= 1.3.0 and 2.x up to 2.3.0; the 1.2.x branch is NOT affected.
  • ·The exploit guesses user IDs (starting with id=1 for administrator); detections should account for sequential or iterated id values in the query string.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.