MantisBT: master-2.28 955cb50f

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-05-02 07:01 master-2.28 5b7f5bc9
Affected Issues  0036985: CVE-2026-42071: REST Issue File Listing Leaks Attachments From Hidden Private Bugnotes
Changeset

Fix Private Bugnote Attachment Leak via SOAP API

Incomplete access checks in mci_file_can_download_bug_attachments()
resulted in unauthorized access to attachments.

The function has been removed and replaced by calls to standard file
API functions file_can_download_bug_attachments() and
file_can_download_bugnote_attachments().

Fixes 0036985, GHSA-pw5x-2mf9-3xc8 / CVE-2026-42071
mod - api/soap/mc_file_api.php Diff File