CVE-2025-55155

medium

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person's email address could lead to information disclosure. This issue is fixed in version 2.27.2.

References

https://mantisbt.org/bugs/view.php?id=36005

https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr

https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4f22e

Details

Source: Mitre, NVD

Published: 2025-11-04

Updated: 2025-11-10

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00014