Login Sign Up

CVE-2024-34077

7.3 HIGH
Authentication Bypass

📋 TL;DR

MantisBT versions before 2.26.2 have an insufficient access control vulnerability in the registration and password reset process. An attacker can reset another user's password and take over their account if the victim has an incomplete password reset request pending. This affects all MantisBT installations using vulnerable versions.

💻 Affected Systems

Products:
  • Mantis Bug Tracker (MantisBT)
Versions: All versions before 2.26.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration. Exploit requires victim to have initiated but not completed password reset within last 5 minutes.

📦 What is this software?

Mantisbt by Mantisbt

View all CVEs affecting Mantisbt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full control of administrator or high-privilege accounts, leading to data theft, system compromise, or complete application takeover.

🟠

Likely Case

Attacker compromises regular user accounts to access sensitive project data, modify issues, or escalate privileges within the bug tracking system.

🟢

If Mitigated

With proper patching or workarounds, the attack window is eliminated or significantly reduced to minimal risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit involves brute-forcing user IDs against account_update.php endpoint while verification token is valid (5-minute window).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.26.2

Vendor Advisory: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm

Restart Required: No

Instructions:

1. Backup your MantisBT installation and database. 2. Download MantisBT 2.26.2 or later from mantisbt.org. 3. Replace existing files with new version. 4. Run admin/check.php to verify installation. 5. Clear browser cache.

🔧 Temporary Workarounds

Reduce Token Expiry Time

all

Decrease verification token validity period to reduce attack window

Edit constants_inc.php and change TOKEN_EXPIRY_AUTHENTICATED constant value to less than 300 seconds

🧯 If You Can't Patch

  • Monitor account_update.php endpoint for unusual activity patterns
  • Implement rate limiting or WAF rules to block brute-force attempts

🔍 How to Verify

Check if Vulnerable:

Check MantisBT version in config_inc.php or via admin/check.php - versions below 2.26.2 are vulnerable

Check Version:

grep 'g_mantis_version' config_inc.php || php admin/check.php | grep 'MantisBT Version'

Verify Fix Applied:

Verify version is 2.26.2 or higher and test password reset functionality

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed password reset attempts for different user IDs within short timeframe
  • Unusual account_update.php requests with sequential user IDs

Network Indicators:

  • HTTP POST requests to account_update.php with varying user_id parameters

SIEM Query:

source="mantisbt.log" AND "account_update.php" AND (user_id=* OR brute-force pattern)

📊 Metadata

CVE ID: CVE-2024-34077
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-305
Published: May 14, 2024
Last Updated: January 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34077, you might also want to check these:

CVE-2025-4320 10.0

This vulnerability allows attackers to bypass authentication and exploit weak password recovery mech...

Same vulnerability type (CWE-305)
CVE-2025-24522 10.0

KUNBUS Revolution Pi OS Bookworm 01/2025 has no authentication configured by default for its Node-RE...

Same vulnerability type (CWE-305)
CVE-2025-36386 9.8

CVE-2025-36386 is an authentication bypass vulnerability in IBM Maximo Application Suite that allows...

Same vulnerability type (CWE-305)