Headline
GHSA-g582-8vwr-68h2: MantisBT unauthorized disclosure of private project column configuration
Impact
Due to insufficient access-level checks, any non-admin user having access to manage_config_columns_page.php (typically project managers having MANAGER role) can use the Copy From action to retrieve the columns configuration from a private project they have no access to.
Access to the reverse operation (Copy To) is correctly controlled, i.e. it is not possible to alter the private project’s configuration.
Patches
The vulnerability will be fixed in MantisBT version 2.27.2.
Workarounds
None
Credits
Thanks to d3vpoo1 for reporting the issue.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-62520
MantisBT unauthorized disclosure of private project column configuration
Moderate severity GitHub Reviewed Published Nov 1, 2025 in mantisbt/mantisbt • Updated Nov 3, 2025
Package
composer mantisbt/mantisbt (Composer)
Affected versions
< 2.27.2
Impact
Due to insufficient access-level checks, any non-admin user having access to manage_config_columns_page.php (typically project managers having MANAGER role) can use the Copy From action to retrieve the columns configuration from a private project they have no access to.
Access to the reverse operation (Copy To) is correctly controlled, i.e. it is not possible to alter the private project’s configuration.
Patches
The vulnerability will be fixed in MantisBT version 2.27.2.
Workarounds
None
Credits
Thanks to d3vpoo1 for reporting the issue.
References
- GHSA-g582-8vwr-68h2
- mantisbt/mantisbt@4fe94f4
- https://mantisbt.org/bugs/view.php?id=36502
Published to the GitHub Advisory Database
Nov 3, 2025