Mantis Bug Tracker Bugnote Revision Page Private Issue Metadata Disclosure Vulnerability

A vulnerability in Mantis Bug Tracker (MantisBT) versions through 2.28.1 allows bugnote authors to access the Revisions page of their notes after losing access to the parent private issue. This access reveals metadata from the private issue, such as the issue ID and summary, while the full revision body remains secure. The vulnerability arises because the access control for bugnote revisions does not properly check if the user can view the associated private issue.

Impact

Exploitation of this vulnerability leads to the unauthorized disclosure of private issue metadata, including the issue ID and summary, after access to the issue has been revoked.

Reproduction

To reproduce this vulnerability, create a bugnote on a public issue as a low-privileged user, ensuring that the note has revision history. Then, make the issue private and confirm that the user receives a '403 Forbidden' response when trying to access the issue page. Afterward, open the bugnote revision page directly using the bugnote ID. The revision page will return a '200 OK' status and expose the private issue metadata, despite the issue being inaccessible.

Remediation

Users can upgrade to MantisBT version 2.28.2, where this vulnerability has been fixed.