icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Mantis Cross-Site Request Forgery Vulnerabilities

Medium

Synopsis

The remote web server contains a PHP application that is affected by multiple cross-site request forgery vulnerabilities.

Description

The version of Mantis Bug Tracker installed on the remote host does not verify the validity of HTTP requests before performing various administrative actions. If a remote attacker can trick a logged-in administrator into viewing a specially-crafted page, he can leverage this issue to launch cross-site request forgery attacks against the affected application, such as creating additional users with administrator privileges.

Solution

Upgrade to Mantis 1.2.0a1 or later.