Home > Vulnerability Database > CVE-2020-25781

Mend.io Vulnerability Database

CVE-2020-25781

Date: September 30, 2020

An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.

Language: PHP

Severity Score

4.3

Related Resources (6)

Url: http://github.com/mantisbt/mantisbt/commit/5595c90f11c48164331a20bb9c66098980516e93

Url: https://mantisbt.org/bugs/view.php?id=27039

Url: http://github.com/mantisbt/mantisbt/commit/9de20c09e5a557e57159a61657ce62f1a4f578fe

Url: https://github.com/mantisbt/mantisbt

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-25781

Url: https://www.mend.io/vulnerability-database/CVE-2020-25781

Severity Score

4.3

Weakness Type (CWE)

Missing Authorization

CWE-862

Incorrect Authorization

CWE-863

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-25781

Date: September 30, 2020

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?