MantisBT: master-2.28 2d3a5537

Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-05-29 19:18 master-2.28 c6ccd554
Affected Issues  0037181: CVE-2026-49280: REST and SOAP APIs allows UPDATER users to change issue status despite $g_update_bug_status_threshold
Changeset

Check update_bug_status_threshold in mc_issue_update()

This missing check was allowing a user having update_bug_threshold to
change an Issue's status, even if their access level is below
update_bug_status_threshold.

Fixes 0037181, GHSA-m7ph-9558-mrx3, CVE-2026-49280

mod - api/soap/mc_issue_api.php Diff File