MantisBT: master-2.26 ef0f8202

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.26 2024-09-28 10:54 master-2.26 3b1caab1
Affected Issues  0034640: CVE-2024-45792: Insecure Direct Object References vulnerability with user profiles
Changeset

Prevent unauthorized access to other users Profiles

Create 2 new Profile API functions: profile_can_update() and
profile_ensure_can_update().

Use them in account_prof_update.php and account_prof_edit_page.php to
ensure that users can only view and update their own Profiles (or the
global ones if they are authorized to).

Fixes 0034640, CVE-2024-45792

(cherry picked from commit 56bbd02dc1fb33a8de5898fd17dc3d698c847f55)
mod - account_prof_edit_page.php Diff File
mod - account_prof_update.php Diff File
mod - core/profile_api.php Diff File