2019-06-06 18:17:04
mitre
PUBLISHED
An issue was discovered in MantisBT through 1.3.14, and 2.0.0. Using a crafted request on bug_report_page.php (modifying the m_id parameter), any user with REPORTER access or above is able to view any private issues details (summary, description, steps to reproduce, additional information) when cloning it. By checking the Copy issue notes and Copy attachments checkboxes and completing the clone operation, this data also becomes public (except private notes).