CVE-2020-25781
First published: Wed Sep 30 2020(Updated: )
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mantisbt Mantisbt | <2.24.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-25781?
CVE-2020-25781 is a vulnerability in MantisBT before version 2.24.3 which allows users without access to view private issue notes to download the supposedly private attachments linked to those notes.
How severe is CVE-2020-25781?
CVE-2020-25781 has a severity rating of 4.3 (Medium).
How can I fix CVE-2020-25781?
To fix CVE-2020-25781, you need to update MantisBT to version 2.24.3 or later.
Where can I find more information about CVE-2020-25781?
You can find more information about CVE-2020-25781 on the MantisBT bug tracker at https://mantisbt.org/bugs/view.php?id=27039.
What is CWE-862?
CWE-862 refers to the vulnerability category 'Missing Authorization'.
- collector/nvd-index
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/author
- agent/remedy
- agent/last-modified-date
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- vendor/mantisbt
- canonical/mantisbt mantisbt