CVE-2012-1123

high

Published 2012-06-29 · Modified 2026-04-29

CVSS v3

—

CVSS v2

7.5

VIR risk

7.5

Description

The mci_check_login function in api/soap/mc_api.php in the SOAP API in MantisBT before 1.2.9 allows remote attackers to bypass authentication via a null password.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://github.com/mantisbt/mantisbt/commit/f5106be52cf6aa72c521f388e4abb5f0de1f1d7f

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://www.mantisbt.org/bugs/view.php?id=13901

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/49572

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/48258

Application impact

Vendor	Product	Versions
mantisbt	mantisbt	`{"endIncluding":"1.2.8"}`
mantisbt	mantisbt	`0.18.0`
mantisbt	mantisbt	`0.19.0`
mantisbt	mantisbt	`0.19.1`
mantisbt	mantisbt	`0.19.2`
mantisbt	mantisbt	`0.19.3`
mantisbt	mantisbt	`0.19.4`
mantisbt	mantisbt	`0.19.5`
mantisbt	mantisbt	`1.0.0`
mantisbt	mantisbt	`1.0.1`
mantisbt	mantisbt	`1.0.2`
mantisbt	mantisbt	`1.0.3`
mantisbt	mantisbt	`1.0.4`
mantisbt	mantisbt	`1.0.5`
mantisbt	mantisbt	`1.0.6`
mantisbt	mantisbt	`1.0.7`
mantisbt	mantisbt	`1.0.8`
mantisbt	mantisbt	`1.0.9`
mantisbt	mantisbt	`1.1.0`
mantisbt	mantisbt	`1.1.1`
mantisbt	mantisbt	`1.1.2`
mantisbt	mantisbt	`1.1.3`
mantisbt	mantisbt	`1.1.4`
mantisbt	mantisbt	`1.1.5`
mantisbt	mantisbt	`1.1.6`
mantisbt	mantisbt	`1.1.7`
mantisbt	mantisbt	`1.1.8`
mantisbt	mantisbt	`1.1.9`
mantisbt	mantisbt	`1.2.0`
mantisbt	mantisbt	`1.2.1`
mantisbt	mantisbt	`1.2.2`
mantisbt	mantisbt	`1.2.3`
mantisbt	mantisbt	`1.2.4`
mantisbt	mantisbt	`1.2.5`
mantisbt	mantisbt	`1.2.6`
mantisbt	mantisbt	`1.2.7`

References

CWEs

CWE-287

Verify integrity in audit chain (admin only). AS-IS.