CVE-2017-7615

Description

MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.

How to fix CVE-2017-7615

To remediate CVE-2017-7615, upgrade the affected package to a fixed version below.

• Packagist/mantisbt/mantisbt—upgrade to 1.3.10 or later

Is CVE-2017-7615 being exploited?

Likely — EPSS is 92.5%, placing CVE-2017-7615 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• >= 1.3.0-rc.2, < 1.3.10

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-7615
• PATCHgithub.com/mantisbt/mantisbt
• WEBhyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt
• WEBpacketstormsecurity.com/files/159219/Mantis-Bug-Tracker-2.3.0-Remote-Code-Execution.html