Vulnerabilities > CVE-2020-25781 - Missing Authorization vulnerability in Mantisbt
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- http://github.com/mantisbt/mantisbt/commit/5595c90f11c48164331a20bb9c66098980516e93
- http://github.com/mantisbt/mantisbt/commit/5595c90f11c48164331a20bb9c66098980516e93
- http://github.com/mantisbt/mantisbt/commit/9de20c09e5a557e57159a61657ce62f1a4f578fe
- http://github.com/mantisbt/mantisbt/commit/9de20c09e5a557e57159a61657ce62f1a4f578fe
- https://mantisbt.org/bugs/view.php?id=27039
- https://mantisbt.org/bugs/view.php?id=27039