MantisBT: master-2.28 5b7f5bc9

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-05-02 06:29 master-2.28 77d25d37
Affected Issues  0036985: CVE-2026-42071: REST Issue File Listing Leaks Attachments From Hidden Private Bugnotes
Changeset

Fix Private Bugnote Attachment Leak via REST API

Add missing $p_bugnote_id argument to file_can_view_or_download() call
in file_can_view_bugnote_attachments. This fixes the incorrect access
check that was giving undue access to private attachments.

Fixes 0036985, GHSA-pw5x-2mf9-3xc8 / CVE-2026-42071
mod - core/file_api.php Diff File