MantisBT: master 56bbd02d

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad community master 2024-09-28 10:47 master e5494b6b
Affected Issues  0034640: CVE-2024-45792: Insecure Direct Object References vulnerability with user profiles
Changeset

Merge commit from fork

Create 2 new Profile API functions: profile_can_update() and
profile_ensure_can_update().

Use them in account_prof_update.php and account_prof_edit_page.php to
ensure that users can only view and update their own Profiles (or the
global ones if they are authorized to).

Fixes 0034640, CVE-2024-45792
mod - account_prof_edit_page.php Diff File
mod - account_prof_update.php Diff File
mod - core/profile_api.php Diff File