CVE-2025-55155
BaseFortify
Publication date: 2025-11-04
Last updated on: 2025-11-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantisbt | to 2.27.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-354 | The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. |
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In Mantis Bug Tracker versions 2.27.1 and below, when a user changes their email address in their profile, the system does not verify that the new email actually belongs to the user. This means an invalid or someone else's email address can be saved, which can cause notifications to be sent to unintended recipients.
How can this vulnerability impact me? :
This vulnerability can lead to users not receiving important system notifications because their email address is invalid. Additionally, notifications might be sent to other people's email addresses, potentially causing information disclosure.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Mantis Bug Tracker to version 2.27.2 or later, as this version fixes the vulnerability related to email address validation when users edit their profiles.