MantisBT allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php. Upstream patches: - 2.3.x https://github.com/mantisbt/mantisbt/commit/cfbc5e54 - 2.2.x https://github.com/mantisbt/mantisbt/commit/46880ef6 - 1.3.x https://github.com/mantisbt/mantisbt/commit/14c61a8c Upstream bug: https://mantisbt.org/bugs/view.php?id=22690 References: http://seclists.org/oss-sec/2017/q2/74
We are still shipping 1.2.x versions, not affected by this issue.
Created mantis tracking bugs for this issue: Affects: fedora-all [bug 1442998]