MantisBT: master-2.28 de2f71fd

Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-05-30 13:09 master-2.28 c6ccd554
Affected Issues  0037200: CVE-2026-52883: Injection of TIME_TRACKING and REMINDER Notes via REST and SOAP APIs
Changeset

Use IssueNoteAddCommand from mc_issue_update()

Using the Command to add notes instead of calling bugnote_add() ensures
consistent behavior.

It also prevents unauthorized, low-privilege users from submitting
TIME_TRACKING notes with arbitrary duration via SOAP and REST API, or
REMINDER notes (SOAP only).

Fixes 0037200, GHSA-4vpf-w7qv-5h3q

mod - api/soap/mc_issue_api.php Diff File