MantisBT: master-2.28 b1c3430b

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-05-08 04:05 master-2.28 6e58fae4
Affected Issues  0036995: CVE-2026-34390: Privilege Escalation from Manager to Administrator role per project basis
 0037002: Privilege Escalation Due to Improper Authorization in Project Role Assignment
Changeset

Revert "Cannot grant an access level higher than one's own"

This reverts commit 86accbca671a6a2bfe2204e58739b58d4f06b63d.

The vulnerability, identified in Issue 0037002, had in fact already been
reported (and fixed) in Issue 0036995, see commit
69e0180f180ed5acf48a8d281a73683a7bf32461.
mod - core/commands/ProjectUsersAddCommand.php Diff File