Vulnerabilities > CVE-2009-20001 - Insufficient Session Expiration vulnerability in Mantisbt

047910
CVSS 5.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
mantisbt
CWE-613

Summary

An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.

Vulnerable Configurations

Part Description Count
Application
Mantisbt
172

Common Weakness Enumeration (CWE)