Vulnerabilities > CVE-2024-23830 - Unspecified vulnerability in Mantisbt
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
LOW Summary
MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user's email address and username can hijack the user's account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`.
Vulnerable Configurations
References
- https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744
- https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528
- https://mantisbt.org/bugs/view.php?id=19381
- https://mantisbt.org/bugs/view.php?id=19381