MantisBT: master-2.28 3f952e68

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-03-16 13:40 master-2.28 872f853e
Affected Issues  0036974: CVE-2026-33052: Authorization Bypass in Global Profile Creation via account_prof_update.php
Changeset

Only authorized users can create global profiles

Due to a missing access level check, an authenticated user allowed to
create personal profiles (add_profile_threshold) was able to create a
global profile despite not having manage_global_profile_threshold
privilege.

Adding access_ensure_global_level() to prevent auth bypass.

Fixes 0036974, GHSA-68w5-w573-q2r8
mod - account_prof_update.php Diff File