CVE-2020-25781
MEDIUM4.3EPSS 0.26%MantisBT unauthorized users able to access private files
發布日:2022/5/24修改日:2025/5/29
描述
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
受影響套件(1)
- Packagist/mantisbt/mantisbtfrom 0, < 2.24.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-25781
- PATCHhttps://github.com/mantisbt/mantisbt
- WEBhttp://github.com/mantisbt/mantisbt/commit/5595c90f11c48164331a20bb9c66098980516e93
- WEBhttp://github.com/mantisbt/mantisbt/commit/9de20c09e5a557e57159a61657ce62f1a4f578fe
- WEBhttps://mantisbt.org/bugs/view.php?id=27039