VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 27, 2005· Updated Jun 16, 2026

CVE-2005-3338

CVE-2005-3338

Description

Unspecified vulnerability in Mantis before 0.19.3, when using reminders, causes Mantis to display the real email addresses of users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

8
  • Mantisbt/Mantis8 versions
    cpe:2.3:a:mantis:mantis:0.19.0:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:a:mantis:mantis:0.19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0a1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0a2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantis:mantis:0.19.3:*:*:*:*:*:*:*
    • (no CPE)range: <0.19.3

Patches

Vulnerability mechanics

Root cause

"The reminder feature in Mantis displays the real email addresses of users instead of obfuscating or hiding them."

Attack vector

An attacker can trigger the bug by using the reminder feature in Mantis. When a reminder is sent, the system inadvertently displays the real email addresses of users instead of hiding or obfuscating them. This allows an attacker to collect valid email addresses, which could be used for further phishing or social engineering attacks. The vulnerability is classified as an information disclosure issue.

Affected code

The advisory does not specify the exact file or function responsible for the email disclosure. The vulnerability is described as an unspecified issue in Mantis before version 0.19.3 that occurs when using the reminder feature, causing the real email addresses of users to be displayed.

What the fix does

The advisory does not include a patch diff. The fix was released in Mantis version 0.19.3, which presumably sanitizes or hides email addresses when the reminder feature is used. Without the patch, the exact remediation steps are unknown, but the goal is to prevent the disclosure of real email addresses during reminder operations.

Preconditions

  • configThe attacker must have access to a Mantis instance where the reminder feature is enabled and used.
  • authThe attacker must be able to trigger or observe the reminder functionality, likely as an authenticated user.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.