CVE-2024-23830
📋 TL;DR
CVE-2024-23830 is an account hijack vulnerability in MantisBT where an unauthenticated attacker can take over user accounts by poisoning password reset links. This affects all MantisBT instances prior to version 2.26.1. Attackers need to know the target's email address and username to exploit this vulnerability.
💻 Affected Systems
- Mantis Bug Tracker (MantisBT)
📦 What is this software?
Mantisbt by Mantisbt
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts in the MantisBT instance, leading to data theft, privilege escalation, and potential lateral movement to connected systems.
Likely Case
Targeted account takeover of specific users, potentially leading to unauthorized access to sensitive issue tracking data and project information.
If Mitigated
Limited impact with proper network segmentation and monitoring, though account compromise could still occur if exploited.
🎯 Exploit Status
Exploitation requires knowledge of target email and username, but the attack technique is straightforward once these are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.26.1
Vendor Advisory: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528
Restart Required: No
Instructions:
1. Backup your current MantisBT installation and database. 2. Download version 2.26.1 or later from mantisbt.org. 3. Replace the existing files with the new version. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Configure $g_path variable
allDefine the $g_path variable appropriately in config_inc.php to prevent link poisoning
Edit config_inc.php and add: $g_path = 'https://your-domain.com/mantisbt/';
🧯 If You Can't Patch
- Implement network-level controls to restrict access to MantisBT to trusted IP addresses only
- Enable multi-factor authentication if supported, and monitor for suspicious password reset attempts
🔍 How to Verify
Check if Vulnerable:
Check your MantisBT version by viewing the footer on any page or checking the admin/system info page. If version is below 2.26.1, you are vulnerable.Check Version:
Check the footer of any MantisBT page or visit /admin/check/index.phpVerify Fix Applied:
After patching, verify the version shows 2.26.1 or higher. Test password reset functionality to ensure links are properly generated.📡 Detection & Monitoring
Log Indicators:
- Multiple password reset requests for the same user
- Password reset requests from unusual IP addresses
- Successful password resets followed by immediate login from different IP
Network Indicators:
- Unusual patterns in password reset email generation
- HTTP requests manipulating password reset parameters
SIEM Query:
source="mantisbt.log" AND ("password_reset" OR "reset_password") AND status="200" | stats count by src_ip, user🔗 References
- https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528
- https://mantisbt.org/bugs/view.php?id=19381
- https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528
- https://mantisbt.org/bugs/view.php?id=19381
