Mantis before 1.1.3 does not unset the session cookie during logout, which makes it easier for remote attackers to hijack sessions.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Mantis | Mantis | 1.0.6 | 1.0.6 |
Mantis | Mantis | 1.0.2 | 1.0.2 |
Mantis | Mantis | * | 1.1.2 |
Mantis | Mantis | 1.0.4 | 1.0.4 |
Mantis | Mantis | 1.0.8 | 1.0.8 |
Mantis | Mantis | 0.19.3 | 0.19.3 |
Mantis | Mantis | 1.0.7 | 1.0.7 |
Mantis | Mantis | 1.0.1 | 1.0.1 |
Mantis | Mantis | 1.0.3 | 1.0.3 |
Mantis | Mantis | 1.0.5 | 1.0.5 |
Mantis | Mantis | 1.1.1 | 1.1.1 |
Mantis | Mantis | 0.19.4 | 0.19.4 |