Mantis before 0.17.4 allows remote attackers to list project bugs without authentication by modifying the cookie that is used by the View Bugs page.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mantis | Mantis | 0.15.3 (including) | 0.15.3 (including) |
| Mantis | Mantis | 0.15.4 (including) | 0.15.4 (including) |
| Mantis | Mantis | 0.15.5 (including) | 0.15.5 (including) |
| Mantis | Mantis | 0.15.6 (including) | 0.15.6 (including) |
| Mantis | Mantis | 0.15.7 (including) | 0.15.7 (including) |
| Mantis | Mantis | 0.15.8 (including) | 0.15.8 (including) |
| Mantis | Mantis | 0.15.9 (including) | 0.15.9 (including) |
| Mantis | Mantis | 0.15.10 (including) | 0.15.10 (including) |
| Mantis | Mantis | 0.15.11 (including) | 0.15.11 (including) |
| Mantis | Mantis | 0.15.12 (including) | 0.15.12 (including) |
| Mantis | Mantis | 0.16.0 (including) | 0.16.0 (including) |
| Mantis | Mantis | 0.16.1 (including) | 0.16.1 (including) |
| Mantis | Mantis | 0.17.0 (including) | 0.17.0 (including) |
| Mantis | Mantis | 0.17.1 (including) | 0.17.1 (including) |
| Mantis | Mantis | 0.17.2 (including) | 0.17.2 (including) |
| Mantis | Mantis | 0.17.3 (including) | 0.17.3 (including) |