Index: security/vuxml/vuln.xml =================================================================== --- security/vuxml/vuln.xml (revision 561337) +++ security/vuxml/vuln.xml (working copy) @@ -58,6 +58,50 @@ * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + mantis -- multiple vulnerabilities + + + mantis-php72 + mantis-php73 + mantis-php74 + mantis-php80 + 2.24.4,1 + + + + +

Mantis 2.24.4 release reports:

+
Security and maintenance release, addressing 6 CVEs:
+
+
0027726: CVE-2020-29603: disclosure of private project name
+
0027727: CVE-2020-29605: disclosure of private issue summary
+
0027728: CVE-2020-29604: full disclosure of private issue contents, including bugnotes and attachments
+
0027361: Private category can be access/used by a non member of a private project (IDOR)
+
0027779: CVE-2020-35571: XSS in helper_ensure_confirmed() calls
+
0026794: User Account - Takeover
+
0027363: Fixed in version can be changed to a version that doesn't exist
+
0027350: When updating an issue, a Viewer user can be set as Reporter
+
0027370: CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
+
0027495: CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
+
0027444: Printing unsanitized user input in install.php
+
+

+ + + + CVE-2020-28413 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28413 + CVE-2020-35849 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35849 + + + 2020-11-10 + 2021-01-12 + + + sudo -- Potential information leak in sudoedit