Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 16 Apr 2017 19:06:07 +0200
From: Damien Regad <>
Subject: Re: MantisBT - Full admin access vulnerability - CVE-2017-7615

> A vulnerability exists in MantisBT where any users password can be reset:

This is registered as CVE-2017-7615. It was discovered and reported to
us by John Page aka hyp3rlinx from ApparitionSec

We didn't post it here before, as due to the severity of the issue we
wanted to give the opportunity to our users to patch their systems
before full public disclosure, so we notified them via private e-mail.

Unfortunately someone decided to post it here (anonymously, too...) in
spite of our request to keep the embargo, so here's the rest of the story.

The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be
released shortly.

Until then, all MantisBT administrators are advised to patch their
system immediately. Fixes are availble from our GitHub repository:

- 2.3.x
- 2.2.x
- 1.3.x

MantisBT issue tracker reference:

Best regards
D. Regad
MantisBT developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.