CVE-2013-1930 : MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the workflow rest

MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the workflow restriction and close issues.

Published 2019-10-31 20:15:10

Updated 2019-11-07 18:29:38

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2013-1930

Fedoraproject » Fedora » Version: 17
cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 18
cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
Matching versions
Mantisbt » Mantisbt
Versions from including (>=) 1.2.12 and before (<) 1.2.15
cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.70%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

https://exchange.xforce.ibmcloud.com/vulnerabilities/83796

MantisBT Close button security bypass CVE-2013-1930 Vulnerability Report
Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/58890

MantisBT 'Close' Button Security Bypass Vulnerability
Third Party Advisory;VDB Entry
https://mantisbt.org/bugs/view.php?id=15453

0015453: CVE-2013-1930: Close button is shown on webpage despite 'close' is not a valid status by workflow - MantisBT
Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/103459.html

[SECURITY] Fedora 18 Update: mantis-1.2.15-1.fc18
Third Party Advisory

CVEs referencing this url
https://security-tracker.debian.org/tracker/CVE-2013-1930

CVE-2013-1930
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/103438.html

[SECURITY] Fedora 17 Update: mantis-1.2.15-1.fc17
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1930

948971 – (CVE-2013-1930) CVE-2013-1930 mantis: (Issue) Close button available despite of workflow restrictions
Issue Tracking;Third Party Advisory
http://www.openwall.com/lists/oss-security/2013/04/06/4

oss-security - Re: Multiple CVE requests for MantisBT
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to