Dependency Graph

View IssueRelationship GraphHorizontalShow Summary
Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0027727mantisbtsecuritypublic2020-12-07 13:482022-10-08 09:04
Reporterd3vpoo1 Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Target Version2.24.4Fixed in Version2.24.4 
Summary0027727: CVE-2020-29605: Disclosure of private issue summary
Description

Due to insufficient access level checks, any user allowed to perform Group Actions can get access to private Issues' Summary, using a crafted bug_actiongroup_page.php URL. Target Issues can be marked as private, or belong to a private Project.

Steps To Reproduce
  1. Login as unprivileged user (tested successfully with a VIEWER account)
  2. Go to http://path.to/mantisbt/bug_actiongroup_page.php?action=COPY&bug_arr[]=PRIVATE_ISSUE_ID
  3. Behold the private issue's Summary in the list of selected issues
Additional Information

This vulnerability was originally reported by @d3vpoo1 in 0027357.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0027728 closeddregad CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments 
related to 0031086 closeddregad CVE-2023-22476: Private issue summary disclosure 
child of 0027357 closeddregad Attacker can leak private information via different functionality 

Activities

dregad

dregad

2020-12-07 17:59

developer   ~0064770

Last edited: 2020-12-07 18:05

CVE Request 997513 for CVE ID Request -- CVE-2020-29605 assigned

Related Changesets

MantisBT: master 12a9dcbb

2020-12-06 13:08

dregad


Details Diff		 Prevent disclosure of private issue summary

Insufficient access level checks allowed an attacker to display private
issues' summary via Group Actions (bug_actiongroup_page.php).

Going through the provided list of issue IDs (bug_arr[]) and removing
any issues the user does not have access to, fixes the vulnerability.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting the issue.

Fixes 0027727, 0027357, CVE-2020-29605		 Affected Issues
0027357, 0027727
mod - bug_actiongroup_page.php Diff File

MantisBT: master 9322c8c9

2020-12-29 05:02

dregad


Details Diff		 Per-project cache of view_bug_threshold

As suggested by @vboctor during review, the threshold can be different
in each project, so we need to check them individually.

Fixes 0027727		 Affected Issues
0027727
mod - bug_actiongroup_page.php Diff File