High severity8.8NVD Advisory· Published Apr 16, 2017· Updated May 13, 2026
CVE-2017-7615
CVE-2017-7615
Description
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 1.3.0-rc.2, < 1.3.10 | 1.3.10 |
mantisbt/mantisbtPackagist | >= 2.0.0, < 2.2.4 | 2.2.4 |
mantisbt/mantisbtPackagist | >= 2.3.0, < 2.3.1 | 2.3.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- mantisbt.org/bugs/view.phpnvdIssue TrackingPatchVendor AdvisoryWEB
- hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txtnvdExploitThird Party AdvisoryWEB
- packetstormsecurity.com/files/159219/Mantis-Bug-Tracker-2.3.0-Remote-Code-Execution.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- www.exploit-db.com/exploits/41890/nvdExploitThird Party AdvisoryVDB Entry
- www.openwall.com/lists/oss-security/2017/04/16/2nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/97707nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-252r-f55f-ff34ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7615ghsaADVISORY
- www.exploit-db.com/exploits/41890ghsaWEB
News mentions
0No linked articles in our index yet.