GitHub_MCVELIST:CVE-2024-23830CVE-2024-23830 MantisBT Host Header Injection vulnerability
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
0.0004 Low
EPSS
Percentile
15.8%
MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user’s email address and username can hijack the user’s account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define $g_path as appropriate in config_inc.php.
CNA Affected
[
{
"vendor": "mantisbt",
"product": "mantisbt",
"versions": [
{
"version": "< 2.26.1",
"status": "affected"
}
]
}
]Related
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
0.0004 Low
EPSS
Percentile
15.8%