2008-10-22 17:00:00
mitre
PUBLISHED
core/string_api.php in Mantis before 1.1.3 does not check the privileges of the viewer before composing a link with issue data in the source anchor, which allows remote attackers to discover an issues title and status via a request with a modified issue number.