CVE-2012-2691

The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request.

Affected Software

Name	Vendor	Start Version	End Version
Mantisbt	Mantisbt	*	1.2.10 (including)
Mantisbt	Mantisbt	0.18.0 (including)	0.18.0 (including)
Mantisbt	Mantisbt	0.19.0 (including)	0.19.0 (including)
Mantisbt	Mantisbt	0.19.0-a1 (including)	0.19.0-a1 (including)
Mantisbt	Mantisbt	0.19.0-a2 (including)	0.19.0-a2 (including)
Mantisbt	Mantisbt	0.19.0-rc1 (including)	0.19.0-rc1 (including)
Mantisbt	Mantisbt	0.19.1 (including)	0.19.1 (including)
Mantisbt	Mantisbt	0.19.2 (including)	0.19.2 (including)
Mantisbt	Mantisbt	0.19.3 (including)	0.19.3 (including)
Mantisbt	Mantisbt	0.19.4 (including)	0.19.4 (including)
Mantisbt	Mantisbt	0.19.5 (including)	0.19.5 (including)
Mantisbt	Mantisbt	1.0.0 (including)	1.0.0 (including)
Mantisbt	Mantisbt	1.0.0-a1 (including)	1.0.0-a1 (including)
Mantisbt	Mantisbt	1.0.0-a2 (including)	1.0.0-a2 (including)
Mantisbt	Mantisbt	1.0.0-a3 (including)	1.0.0-a3 (including)
Mantisbt	Mantisbt	1.0.0-rc1 (including)	1.0.0-rc1 (including)
Mantisbt	Mantisbt	1.0.0-rc2 (including)	1.0.0-rc2 (including)
Mantisbt	Mantisbt	1.0.0-rc3 (including)	1.0.0-rc3 (including)
Mantisbt	Mantisbt	1.0.0-rc4 (including)	1.0.0-rc4 (including)
Mantisbt	Mantisbt	1.0.0-rc5 (including)	1.0.0-rc5 (including)
Mantisbt	Mantisbt	1.0.1 (including)	1.0.1 (including)
Mantisbt	Mantisbt	1.0.2 (including)	1.0.2 (including)
Mantisbt	Mantisbt	1.0.3 (including)	1.0.3 (including)
Mantisbt	Mantisbt	1.0.4 (including)	1.0.4 (including)
Mantisbt	Mantisbt	1.0.5 (including)	1.0.5 (including)
Mantisbt	Mantisbt	1.0.7 (including)	1.0.7 (including)
Mantisbt	Mantisbt	1.0.8 (including)	1.0.8 (including)
Mantisbt	Mantisbt	1.0.9 (including)	1.0.9 (including)
Mantisbt	Mantisbt	1.1.0 (including)	1.1.0 (including)
Mantisbt	Mantisbt	1.1.0-a1 (including)	1.1.0-a1 (including)
Mantisbt	Mantisbt	1.1.0-a2 (including)	1.1.0-a2 (including)
Mantisbt	Mantisbt	1.1.0-a3 (including)	1.1.0-a3 (including)
Mantisbt	Mantisbt	1.1.0-a4 (including)	1.1.0-a4 (including)
Mantisbt	Mantisbt	1.1.0-rc1 (including)	1.1.0-rc1 (including)
Mantisbt	Mantisbt	1.1.0-rc2 (including)	1.1.0-rc2 (including)
Mantisbt	Mantisbt	1.1.0-rc3 (including)	1.1.0-rc3 (including)
Mantisbt	Mantisbt	1.1.1 (including)	1.1.1 (including)
Mantisbt	Mantisbt	1.1.2 (including)	1.1.2 (including)
Mantisbt	Mantisbt	1.1.3 (including)	1.1.3 (including)
Mantisbt	Mantisbt	1.1.4 (including)	1.1.4 (including)
Mantisbt	Mantisbt	1.1.5 (including)	1.1.5 (including)
Mantisbt	Mantisbt	1.1.6 (including)	1.1.6 (including)
Mantisbt	Mantisbt	1.1.7 (including)	1.1.7 (including)
Mantisbt	Mantisbt	1.1.8 (including)	1.1.8 (including)
Mantisbt	Mantisbt	1.1.9 (including)	1.1.9 (including)
Mantisbt	Mantisbt	1.2.0 (including)	1.2.0 (including)
Mantisbt	Mantisbt	1.2.0-alpha1 (including)	1.2.0-alpha1 (including)
Mantisbt	Mantisbt	1.2.0-alpha2 (including)	1.2.0-alpha2 (including)
Mantisbt	Mantisbt	1.2.0-alpha3 (including)	1.2.0-alpha3 (including)
Mantisbt	Mantisbt	1.2.0-rc1 (including)	1.2.0-rc1 (including)
Mantisbt	Mantisbt	1.2.0-rc2 (including)	1.2.0-rc2 (including)
Mantisbt	Mantisbt	1.2.1 (including)	1.2.1 (including)
Mantisbt	Mantisbt	1.2.2 (including)	1.2.2 (including)
Mantisbt	Mantisbt	1.2.3 (including)	1.2.3 (including)
Mantisbt	Mantisbt	1.2.4 (including)	1.2.4 (including)
Mantisbt	Mantisbt	1.2.5 (including)	1.2.5 (including)
Mantisbt	Mantisbt	1.2.6 (including)	1.2.6 (including)
Mantisbt	Mantisbt	1.2.7 (including)	1.2.7 (including)
Mantisbt	Mantisbt	1.2.8 (including)	1.2.8 (including)
Mantisbt	Mantisbt	1.2.9 (including)	1.2.9 (including)
Mantis	Ubuntu	hardy	*
Mantis	Ubuntu	lucid	*
Mantis	Ubuntu	natty	*
Mantis	Ubuntu	oneiric	*
Mantis	Ubuntu	precise	*
Mantis	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2012-2691
CWE	https://cwe.mitre.org/data/definitions/264.html

Affected Software

References