CVE-2012-5523

medium

Description

core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/80070

http://www.securityfocus.com/bid/56520

http://www.mantisbt.org/bugs/view.php?id=14704

http://www.mantisbt.org/bugs/changelog_page.php?version_id=150

http://openwall.com/lists/oss-security/2012/11/14/1

http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html

Details

Source: Mitre, NVD

Published: 2012-11-16

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Medium