Unvalidated note_type Parameter in mc_issue_update SOAP Endpoint Allows creation of TIME_TRACKING and REMINDER Notes. The SOAP path passes the user-supplied note_type integer directly to bugnote_add() without validating that the user is authorized to create that type of note. If the user's access level is higher than $g_time_tracking_view_threshold, they can also inject arbitrary hours into billing reports.
REST API also allows injection of TIME_TRACKING notes (but not REMINDER) through the same mc_issue_update() function.
Impact
An attacker with UPDATER access could:
- Inject fake billable hours via TIME_TRACKING notes (note_type=2), corrupting billing data exported through MantisBT's billing reports. Organizations that bill clients based on MantisBT time tracking data would generate incorrect invoices, and corrupt time tracking reports could be used to drive project management decisions.
- Fake REMINDER notes registered (but without actual sending of notifications).
Patches
Workarounds
None
Resources
Credits
Thanks to the following security researchers for discovering and responsibly reporting the issue
References
Unvalidated note_type Parameter in mc_issue_update SOAP Endpoint Allows creation of TIME_TRACKING and REMINDER Notes. The SOAP path passes the user-supplied note_type integer directly to bugnote_add() without validating that the user is authorized to create that type of note. If the user's access level is higher than $g_time_tracking_view_threshold, they can also inject arbitrary hours into billing reports.
REST API also allows injection of TIME_TRACKING notes (but not REMINDER) through the same mc_issue_update() function.
Impact
An attacker with UPDATER access could:
Patches
Workarounds
None
Resources
Credits
Thanks to the following security researchers for discovering and responsibly reporting the issue
References