CVE-2025-55155: 
PHP vulnerability analysis and mitigation

MantisBT (Mantis Bug Tracker) versions 2.27.1 and below contain a vulnerability (CVE-2025-55155) where the system lacks proper verification when users change their email addresses. The vulnerability was discovered by @ncrcs and disclosed on November 3, 2025. The issue affects the PHP-based open-source issue tracking system, specifically impacting the user profile email change functionality (GitHub Advisory).

The vulnerability has a CVSS v3.1 score of 5.4 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The core issue lies in the direct update of user email addresses in the database without a verification step, which could be exploited through both the web interface (account_page.php) and API/Command Layer (UserUpdateCommand class). The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) and CWE-345 (Insufficient Verification of Data Authenticity) (GitHub Advisory, Miggo).

The vulnerability could result in storing invalid email addresses and preventing users from receiving system notifications. More critically, it could lead to information disclosure as system notifications might be sent to unauthorized email addresses, potentially exposing sensitive information to unintended recipients (GitHub Advisory, Miggo).

The vulnerability has been fixed in MantisBT version 2.27.2. The patch implements a token-based email verification flow where instead of updating the email directly, the system now sends a verification link to the new email address. The update is only completed when the user clicks this link. No workarounds are available for users who cannot immediately update to the patched version (GitHub Advisory).