CVE-2024-45792 in MantisBT
Summary
by MITRE • 09/30/2024
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Using a crafted POST request, an unprivileged, registered user is able to retrieve information about other users' personal system profiles. This vulnerability is fixed in 2.26.4.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/15/2025
The CVE-2024-45792 vulnerability affects Mantis Bug Tracker version 2.26.3 and earlier, representing a critical information disclosure flaw that undermines the system's user privacy and access controls. This vulnerability specifically targets the application's handling of user profile data, where unprivileged registered users can exploit a crafted POST request to access sensitive information about other users' personal system profiles. The flaw exists within the application's authorization mechanisms, allowing users without proper privileges to bypass normal access restrictions and retrieve data they should not be able to view. This represents a significant breach of the principle of least privilege that is fundamental to secure application design.
The technical implementation of this vulnerability stems from inadequate input validation and access control enforcement within the MantisBT application's user profile retrieval functionality. When a malicious user submits a crafted POST request, the system fails to properly verify whether the requesting user has legitimate authorization to access the target user's profile information. This weakness allows attackers to manipulate the application's internal state and potentially extract personal information including but not limited to user identifiers, system access details, and other sensitive metadata that should remain confidential within the application's user management system. The vulnerability's exploitation does not require administrative privileges or special authentication tokens, making it particularly dangerous as it can be leveraged by any registered user within the system.
The operational impact of CVE-2024-45792 extends beyond simple data exposure, creating potential risks for user privacy, system security, and organizational compliance. Organizations relying on MantisBT for issue tracking and project management may face significant consequences including unauthorized access to sensitive project information, exposure of user credentials, and potential escalation to more severe attacks. The vulnerability could enable attackers to gather intelligence about system users, their roles, and access patterns, which could then be used to plan targeted attacks or social engineering campaigns. This information disclosure could violate privacy regulations such as gdpr, ccpa, and other data protection frameworks, potentially leading to legal and regulatory consequences for organizations that fail to address the vulnerability promptly. The impact is particularly severe in environments where MantisBT is used for managing sensitive business or government projects where user privacy and data confidentiality are paramount.
The vulnerability aligns with CWE-200, which addresses "Information Exposure," and represents a specific instance of inadequate access control mechanisms. From an attacker's perspective, this vulnerability maps to ATT&CK technique T1213.002, "Data from Information Repositories," where adversaries attempt to extract data from databases or repositories that contain user information. Organizations should immediately upgrade to MantisBT version 2.26.4 or later, which contains the necessary patches to address this vulnerability. Additional mitigations include implementing network-level access controls, monitoring for unusual POST request patterns, and conducting regular security audits of user access controls. The fix implemented in version 2.26.4 likely includes enhanced input validation, strengthened access control checks, and proper authorization verification for all user profile retrieval operations, ensuring that only authorized users can access specific profile information according to their role-based permissions and access levels.