Mantis Bug Tracker 1.1.1 Vulnerabilities and CVE Attribution Dispute

On May 20, 2008, Exploit-DB published an advisory on multiple vulnerabilities in Mantis Bug Tracker 1.1.1, attributed to Francesco “ascii” Ongaro and Antonio “s4tan” Parata of the USH team. The flaws included XSS, CSRF, and a serious Remote Code Execution caused by unsafe use of the eval() function in adm_config_set.php. The document also highlights a dispute over the correct attribution of CVE-2008-2276, initially assigned to an internal Mantis project contact despite the vulnerabilities being discovered and reported by Ongaro and Parata. The advisory, accompanied by technical evidence and detailed timeline, led to a partial software update, but also prompted the authors to review their approach to responsible disclosure.