Total vulnerabilities in the database
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.
Software | From | Fixed in |
---|---|---|
mantisbt / mantisbt | 1.2.17 | 1.2.17.x |