Skip to content

Mantis Bug Tracker (MantisBT) allows user account takeover in the signup/reset password process

High severity GitHub Reviewed Published May 12, 2024 in mantisbt/mantisbt • Updated May 14, 2024

Package

composer mantisbt/mantisbt (Composer)

Affected versions

<= 2.26.1

Patched versions

2.26.2

Description

Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending.

The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.

A brute-force attack calling account_update.php with increasing user IDs is possible.

Impact

A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to.

Patches

92d11a01b195a1b6717a2f205218089158ea6d00

Workarounds

Mitigate the risk by reducing the verification token's validity (change the value of the TOKEN_EXPIRY_AUTHENTICATED constant in constants_inc.php).

References

https://mantisbt.org/bugs/view.php?id=34433

Credits

Alexander Christian, from Vantage Point Security Indonesia

References

@dregad dregad published to mantisbt/mantisbt May 12, 2024
Published to the GitHub Advisory Database May 13, 2024
Reviewed May 13, 2024
Published by the National Vulnerability Database May 14, 2024
Last updated May 14, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS score

0.045%
(18th percentile)

CVE ID

CVE-2024-34077

GHSA ID

GHSA-93x3-m7pw-ppqm

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.