2024-02-20 21:44:27
GitHub_M
PUBLISHED
MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a users email address and username can hijack the users account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`.