CVE-2025-62520: MantisBT unauthorized disclosure of private project column configuration

November 3, 2025 (updated November 5, 2025)

Due to insufficient access-level checks, any non-admin user having access to manage_config_columns_page.php (typically project managers having MANAGER role) can use the Copy From action to retrieve the columns configuration from a private project they have no access to.

Access to the reverse operation (Copy To) is correctly controlled, i.e. it is not possible to alter the private project’s configuration.

References

github.com/advisories/GHSA-g582-8vwr-68h2
github.com/mantisbt/mantisbt
github.com/mantisbt/mantisbt/commit/4fe94f45fa2baea2aeb4b65781d2009e7b4a0bf3
github.com/mantisbt/mantisbt/security/advisories/GHSA-g582-8vwr-68h2
mantisbt.org/bugs/view.php?id=36502
nvd.nist.gov/vuln/detail/CVE-2025-62520

Code Behaviors & Features

Detect and mitigate CVE-2025-62520 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →