Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2012-2692

MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments.

Related bugs and status

CVE-2012-2692 (Candidate) is related to these bugs:

Bug #1011823: mantisbt : multiple vulnerabilities

		In	Importance	Status
1011823	mantisbt : multiple vulnerabilities	mantis (Ubuntu)	Undecided	Triaged
1011823	mantisbt : multiple vulnerabilities	Gentoo Linux	Low	Fix Released
1011823	mantisbt : multiple vulnerabilities	Fedora	Low	Fix Released
1011823	mantisbt : multiple vulnerabilities	mantis (Debian)	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: http://secunia.com/adv...
MISC: http://www.securityfoc...
MISC: http://lists.fedorapro...
MISC: http://lists.fedorapro...
MISC: http://lists.fedorapro...
MISC: http://security.gentoo...
MISC: http://www.openwall.co...
MISC: http://www.openwall.co...
MISC: http://www.mantisbt.or...
MISC: http://www.mantisbt.or...
MISC: https://github.com/man...