Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN758
_____________________________________________________________________

DATE                : 04/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running mantisbt versions prior to 2.27.2.

=====================================================================
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-g582-8vwr-68h2
_____________________________________________________________________


Authentication bypass for some passwords due to PHP type juggling
High
dregad published GHSA-4v8w-gg5j-ph37 Nov 1, 2025

Package
mantisbt/mantisbt (Composer)

Affected versions
<= 2.27.1

Patched versions
2.27.2


Description

Due to an incorrect use of loose (==) instead of strict (===)
comparison in the authentication code, PHP type juggling will cause
interpretation of certain MD5 hashes as numbers, specifically those
matching scientific notation.


Impact

On MantisBT instances configured to use the MD5 login method, user
accounts having a password hash evaluating to zero (i.e. matching
regex ^0+[Ee][0-9]+$) are vulnerable, allowing an attacker knowing
the victim's username to login without knowledge of their actual
password, using any other password having a hash evaluating to
zero, for example comito5 (0e579603064547166083907005281618).

No password bruteforcing for individual users is needed, thus
$g_max_failed_login_count does not protect against the attack.
Patches

Has the problem been patched? What versions should users upgrade
to?
Work in progress


Workarounds

Check the database for vulnerable accounts, and change those
users' passwords, e.g. for MySQL:

SELECT username, email FROM mantis_user_table WHERE password REGEXP '^0+[Ee][0-9]+$'


References

    https://mantisbt.org/bugs/view.php?id=35967


Credits

Thanks to Harry Sintonen / Reversec for discovering and reporting
the issue.


Severity
High
8.8/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality Low
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2025-47776

Weaknesses
Weakness CWE-305


Credits

    @dregad dregad Remediation developer
    @piru piru Finder

_____________________________________________________________________


Denial-of-Service (DoS) via Excessive Note Length in MantisBT
Moderate
dregad published GHSA-r3jf-hm7q-qfw5 Nov 1, 2025

Package
mantisbt/mantisbt (Composer)

Affected versions
< 2.27.2

Patched versions
2.27.2


Description

A lack of server-side validation for note length in MantisBT allows
attackers to permanently corrupt issue activity logs by submitting
extremely long notes (tested with 4,788,761 characters). Once such
a note is added:


Impact

    The entire activity stream becomes unviewable (UI fails to render).
    New notes cannot be displayed, effectively breaking all future
collaboration on the issue.


Patches

Under development


Workarounds

None

References

https://mantisbt.org/bugs/view.php?id=35893


Credits

Thanks to Mazen Mahmoud (@TheAmazeng) for reporting the
vulnerability.


Severity
Moderate
6.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2025-46556

Weaknesses
Weakness CWE-770


Credits

    @TheAmazeng TheAmazeng Finder
    @dregad dregad Remediation developer


_____________________________________________________________________

Lack of verification when changing a user's email address
Moderate
dregad published GHSA-q747-c74m-69pr Nov 1, 2025

Package
mantisbt (Composer)

Affected versions
<= 2.27.1

Patched versions
2.27.2


Description

When a user edits their profile to change their e-mail address,
the system saves it without validating that it actually belongs
to the user.


Impact

This could result in storing an invalid email address, preventing
the user from receiving system notifications.

Notifications sent to another person's email address could lead
to information disclosure.


Patches
Work in progress

Workarounds
None


References

    https://mantisbt.org/bugs/view.php?id=36005


Credits

Thanks to @ncrcs for discovering and reporting the issue.


Severity
Moderate
5.4/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVE ID
CVE-2025-55155

Weaknesses
Weakness CWE-201
Weakness CWE-345


Credits

    @ncrcs ncrcs Reporter
    @dregad dregad Remediation developer


_____________________________________________________________________


Ability to copy private project configurations
Moderate
dregad published GHSA-g582-8vwr-68h2 Nov 1, 2025

Package
mantisbt/mantisbt (Composer)

Affected versions
<= 2.27.1

Patched versions
2.27.2


Description

Impact

Due to insufficient access-level checks, any non-admin user having
access to manage_config_columns_page.php (typically project managers
having MANAGER role) can use the Copy From action to retrieve the
columns configuration from a private project they have no access
to.

Access to the reverse operation (Copy To) is correctly controlled,
i.e. it is not possible to alter the private project's
configuration.


Patches

The vulnerability will be fixed in MantisBT version 2.27.2.


Workarounds
None

Credits
Thanks to d3vpoo1 for reporting the issue.


References

    https://mantisbt.org/bugs/view.php?id=36502


Severity
Moderate
5.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality Low
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2025-62520

Weaknesses
Weakness CWE-200


Credits

    @jrckmcsb jrckmcsb Reporter
    @atrol atrol Remediation developer
    @dregad dregad Coordinator


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================