CVE-2014-9506

MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://seclists.org/oss-sec/2014/q4/955
http://secunia.com/advisories/62101
http://www.debian.org/security/2015/dsa-3120
https://www.mantisbt.org/bugs/changelog_page.php?version_id=191	Vendor Advisory
https://www.mantisbt.org/bugs/view.php?id=9885	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2015-01-04 21:59

Updated : 2017-01-03 02:59

NVD link : CVE-2014-9506

Mitre link : CVE-2014-9506

CVE.ORG link : CVE-2014-9506

JSON object : View

Products Affected

mantisbt

mantisbt

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

3.5 /10