MantisBT: master-2.28 0a93267d

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-03-28 14:16 master-2.28 df22697a
Affected Issues  0033404: Unable to grant user access to private issue by adding them as a monitoring user
 0036975: CVE-2026-34579: Authorization bypass in private issue monitoring allows unauthorized users to subscribe to restricted issues
Changeset

Only let users monitor private issues they can access

Fixes an information disclosure vulnerability, which was introduced by
the fix for issue 0033404.

MonitorAddCommand now checks for monitor_bug_threshold differently,
depending on whether the user is adding themselves (bug-level check) or
someone lese (project-level check).

Fixes 0036975
mod - core/commands/MonitorAddCommand.php Diff File