CVE-2008-4688

2008-10-2218:00:00

CWE-200

[email protected]

web.nvd.nist.gov

mantis

cve-2008-4688

string_api.php

information security

remote attackers

vulnerability

nvd

6.7 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

75.9%

JSON

core/string_api.php in Mantis before 1.1.3 does not check the privileges of the viewer before composing a link with issue data in the source anchor, which allows remote attackers to discover an issue’s title and status via a request with a modified issue number.

CPENameOperatorVersion
mantis:mantismantiseq1.0.6
mantis:mantismantiseq1.0.2
mantis:mantismantiseq1.0.4
mantis:mantismantiseq1.0.8
mantis:mantismantiseq0.19.3
mantis:mantismantiseq1.0.7
mantis:mantismantisle1.1.3
mantis:mantismantiseq1.1.2
mantis:mantismantiseq1.0.1
mantis:mantismantiseq1.0.3

CPE	Name	Operator	Version
mantis:mantis	mantis	eq	1.0.6
mantis:mantis	mantis	eq	1.0.2
mantis:mantis	mantis	eq	1.0.4
mantis:mantis	mantis	eq	1.0.8
mantis:mantis	mantis	eq	0.19.3
mantis:mantis	mantis	eq	1.0.7
mantis:mantis	mantis	le	1.1.3
mantis:mantis	mantis	eq	1.1.2
mantis:mantis	mantis	eq	1.0.1
mantis:mantis	mantis	eq	1.0.3