CVE-2025-62520: 
PHP vulnerability analysis and mitigation

CVE-2025-62520 is a security vulnerability discovered in MantisBT affecting versions up to 2.27.1. The vulnerability was discovered on October 15, 2025, and publicly disclosed on November 1, 2025. It involves unauthorized disclosure of private project column configurations, where non-admin users with MANAGER role could access configuration details of private projects they shouldn't have access to (GitHub Advisory).

The vulnerability stems from insufficient access-level checks in the manageconfigcolumns_page.php file. Specifically, when using the 'Copy From' action, the system failed to properly validate access permissions for the source project. This allowed users with MANAGER role to retrieve column configurations from private projects they weren't authorized to access. The vulnerability has been assigned a CVSS v4.0 score with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, indicating a moderate severity level (GitHub Advisory).

The vulnerability allows unauthorized access to private project configurations. While the impact is limited to column configuration information, it represents a security breach as it exposes private project settings. The vulnerability only affects the 'Copy From' operation; the 'Copy To' operation remains properly secured, preventing unauthorized modification of private project configurations (GitHub Advisory).

The vulnerability has been fixed in MantisBT version 2.27.2. The patch adds explicit access control checks in the managecolumnscopy.php file to verify that users have MANAGER-level access to the source project before allowing the copy operation. No workarounds are available for affected versions; upgrading to version 2.27.2 is the recommended solution (GitHub Advisory, GitHub Commit).