CVE request: PHP Object Injection in MantisBT filter API

[Damien Regad <dregad () mantisbt org>]

Greetings,

Please assign a CVE ID for the following issue.


Description:

In the function current_user_get_bug_filter(), the code loads a variable 
from $_GET['filter']/$_POST['filter'] and if it's not numeric, feeds it 
straight into unserialize() allowing an attacker to inject a PHP object.


Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [1]

Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as 
part of Offensive Security's bug bounty program [3].
It was fixed by Paul Richards.

References:
Further details available in our issue tracker [2]


[1] http://github.com/mantisbt/mantisbt/commit/599364b2
[2] http://www.mantisbt.org/bugs/view.php?id=17875
[3] http://www.offensive-security.com/bug-bounty-program/