Insecure Storage of Sensitive Information

CVE-2020-29603

Medium

4.3/10

Summary

In MantisBT, any unprivileged logged-in user can retrieve the names of private projects via the `project_id` parameter of the `manage_proj_edit_page.php` file, without having access to them. This flaw results in an Insecure Storage of Sensitive Information vulnerability. This vulnerability affects versions of the mantisbt/mantisbt package prior to 2.24.4.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-922 - Insecure Storage of Sensitive Information

The software stores sensitive information without properly limiting read or write access by unauthorized actors.

References

Advisory
Leak private information
Disclosure of private project name

Advisory Timeline

Published Jan 29, 2021

Insecure Storage of Sensitive Information

CVE-2020-29603

Summary

CWE-922 - Insecure Storage of Sensitive Information

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS