CVE-2023-44394
low-risk
Published 2023-10-16
MantisBT is an open source bug tracker. Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs. This issue has been addressed in commit `65c44883f` which has been included in release `2.25.8`. Users are advised to upgrade. Users unable to upgrade should disable wiki integration ( `$g_wiki_enable = OFF;`).
Do I need to act?
-
0.56% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (6)
Vendor Advisory
https://mantisbt.org/bugs/view.php?id=32981
Vendor Advisory
https://mantisbt.org/bugs/view.php?id=32981
25
/ 100
low-risk
Severity
18/34 · Moderate
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal