Home > Vulnerability Database > CVE-2023-22476

Mend.io Vulnerability Database

CVE-2023-22476

Date: February 23, 2023

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions prior to 2.25.6, due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can access to the Summary field of private Issues (i.e. having Private view status, or belonging to a private Project) via a crafted "bug_arr[]" parameter in bug_actiongroup_ext.php. This issue is fixed in version 2.25.6. There are no workarounds.

Language: PHP

Severity Score

4.3

Related Resources (6)

Url: https://www.mantisbt.org/bugs/view.php?id=31086

Url: https://mantisbt.org/bugs/view.php?id=31086

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-22476

Url: https://github.com/mantisbt/mantisbt

Url: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79

Url: https://www.mend.io/vulnerability-database/CVE-2023-22476

Severity Score

4.3

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficient Information

NVD-CWE-noinfo

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-22476

Date: February 23, 2023

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?