Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 364cc94affb3 · 2025-11-03T17:09:48.000Z
GHSA-4v8w-gg5j-ph37 GHSA-r3jf-hm7q-qfw5
diff --git a/advisories/github-reviewed/2025/11/GHSA-4v8w-gg5j-ph37/GHSA-4v8w-gg5j-ph37.json b/advisories/github-reviewed/2025/11/GHSA-4v8w-gg5j-ph37/GHSA-4v8w-gg5j-ph37.json
@@ -0,0 +1,70 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4v8w-gg5j-ph37",
+  "modified": "2025-11-03T17:07:36Z",
+  "published": "2025-11-03T17:07:36Z",
+  "aliases": [
+    "CVE-2025-47776"
+  ],
+  "summary": "MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling",
+  "details": "Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.\n\n[1]: https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782\n\n### Impact\nOn MantisBT instances configured to use the *MD5* login method, user accounts having a password hash evaluating to zero (i.e. matching regex `^0+[Ee][0-9]+$`) are vulnerable, allowing an attacker knowing the victim's username to login without knowledge of their actual password, using any other password having a  hash evaluating to zero, for example `comito5` (0e579603064547166083907005281618). \n\nNo password bruteforcing for individual users is needed, thus $g_max_failed_login_count does not protect against the attack.\n\n### Patches\nFixed in 2.27.2.\n\n### Workarounds\nCheck the database for vulnerable accounts, and change those users' passwords, e.g. for MySQL:\n```sql\nSELECT username, email FROM mantis_user_table WHERE password REGEXP '^0+[Ee][0-9]+$'\n```\n\n### Credits\nThanks to Harry Sintonen / Reversec for discovering and reporting the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "mantisbt/mantisbt"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.27.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mantisbt/mantisbt"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mantisbt.org/bugs/view.php?id=35967"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-305",
+      "CWE-697"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-03T17:07:36Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/11/GHSA-r3jf-hm7q-qfw5/GHSA-r3jf-hm7q-qfw5.json b/advisories/github-reviewed/2025/11/GHSA-r3jf-hm7q-qfw5/GHSA-r3jf-hm7q-qfw5.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r3jf-hm7q-qfw5",
+  "modified": "2025-11-03T17:07:39Z",
+  "published": "2025-11-03T17:07:39Z",
+  "aliases": [
+    "CVE-2025-46556"
+  ],
+  "summary": "MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length",
+  "details": "A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:\n\n### Impact\n- The entire activity stream becomes unviewable (UI fails to render).\n- New notes cannot be displayed, effectively breaking all future collaboration on the issue.\n\n### Patches\nFixed in 2.27.2.\n\n### Workarounds\nNone\n\n### Credits\nThanks to Mazen Mahmoud (@TheAmazeng) for reporting the vulnerability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "mantisbt/mantisbt"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.27.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mantisbt/mantisbt"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-03T17:07:39Z",
+    "nvd_published_at": null
+  }
+}
