Mantis Bug Tracker Privilege Escalation Vulnerability Allowing Unauthorized Project-level Administrator Access

A privilege escalation vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior. The issue arises from insufficient access control checks in the ProjectUsersAddCommand, which is used in the manage_proj_user_add.php file and the REST API endpoint for adding project users. This vulnerability allows users with manager-level access to grant project-level administrator rights to any user, including themselves, in projects where they have manager rights. The vulnerability exists because the backend handler accepts forged access level values that exceed the user's actual permissions, bypassing the intended restrictions. While the impact of this vulnerability is moderate, as project-level administrator access does not confer global administrative rights or allow deletion of projects, it still represents a significant authorization flaw that could be exploited to manipulate project roles improperly.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling users to gain project-level administrator access without proper authorization. This could lead to inappropriate modifications of project user roles and responsibilities.

Reproduction

To reproduce this vulnerability, log in as a user with manager access. Then, send a REST API PUT request to the project user management endpoint, including a forged access level value that exceeds the manager's authorized level. Alternatively, use the project user addition form to submit a higher access level, which will be accepted by the backend despite being blocked in the UI.

Remediation

Users can upgrade to MantisBT version 2.28.2, where this vulnerability has been fixed.