CVE-2009-20001

HIGH8.1EPSS 0.14%

MantisBT Insufficient Session Expiration cookie string not reset after logout

Published: 4/21/2022Modified: 6/9/2025

Description

An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.

Affected packages (1)

Packagist/mantisbt/mantisbtfrom 0, < 2.24.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2009-20001
PATCHhttps://github.com/mantisbt/mantisbt
WEBhttps://github.com/mantisbt/mantisbt/commit/79a78c09d5ef5ce098adc73f6f1416f00fc238a5
WEBhttps://mantisbt.org/bugs/view.php?id=11296
WEBhttps://mantisbt.org/bugs/view.php?id=27976