Signature Detail

This site is deprecated. Please CLICK HERE for latest updates

Short Name	HTTP:STC:MANTIS-PASS-RESET
Severity	Major
Recommended	Yes
Recommended Action	Drop
Category	HTTP
Keywords	Mantis Bug Tracker confirm_hash Remote Password Reset
Release Date	2017/05/18
Update Number	2895
Supported Platforms	idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+

HTTP: Mantis Bug Tracker confirm_hash Remote Password Reset

A remote password reset vulnerability has been reported in Mantis Bug Tracker. Successful exploitation results in the attacker being able to change the password for arbitrary accounts.

Extended Description

MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.

Affected Products

Mantisbt mantisbt 2.3.0

References

CVE: CVE-2017-7615
URL: https://www.mantisbt.org/blog/?p=518
URL: http://hyp3rlinx.altervista.org/advisories/mantis-bug-tracker-pre-auth-remote-password-reset.txt

Signature Detail

This site is deprecated. Please CLICK HERE for latest updates

Short Name

Severity

Recommended

Recommended Action

Category

Keywords

Release Date

Update Number

Supported Platforms

HTTP: Mantis Bug Tracker confirm_hash Remote Password Reset

Extended Description

Affected Products

References