CVE-2020-36192
CVE-2020-36192 is a medium-severity vulnerability in Mantisbt Source Integration with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v2: 5.0
- EPSS exploit prediction: 1% (57th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Mantisbt Source Integration
- Published:
- Last modified:
Description
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php page, as well as on the list.php page (a pop-up on the Affected Issues id hyperlink). Additionally, if the attacker has "Update threshold" in the plugin's configuration (set to the "updater" access level by default), then they can link any Issue to a Changeset by entering the Issue's Id, even if they do not have access to it.
Frequently asked questions
- What is CVE-2020-36192?
- An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php page, as well as on the list.php page (a pop-up on the Affected Issues id hyperlink). Additionally, if the attacker has "Update threshold" in the plugin's configuration (set to the "updater" access level by default), then they can link any Issue to a Changeset by entering the Issue's Id, even if they do not have access to it.
- How severe is CVE-2020-36192?
- CVE-2020-36192 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2020-36192 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (57th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-36192?
- CVE-2020-36192 affects Mantisbt Source Integration. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2020-36192?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-36192 published?
- CVE-2020-36192 was published on 2021-01-18 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:mantisbt:source_integration:*:*:*:*:*:mantisbt:*:*
More vulnerabilities in Mantisbt Source Integration
- CVE-2020-8981 — Medium (CVSS 6.1): A cross-site scripting (XSS) vulnerability was discovered in the Source Integration plugin before 1.6.2 and 2.x before…
- CVE-2018-16362 — Medium (CVSS 6.1): An issue was discovered in the Source Integration plugin before 1.5.9 and 2.x before 2.1.5 for MantisBT. A cross-site…
- CVE-2017-6958 — Medium (CVSS 6.1): An XSS vulnerability in the MantisBT Source Integration Plugin (before 2.0.2) search result page allows an attacker to…