MantisBT: master-2.28 e3571c31

Author Committer Branch Timestamp Parent
dregad community master-2.28 2026-06-27 12:11 master-2.28 2d3a5537
Affected Issues  0037121: CVE-2026-47156: SOAP API Authentication Bypass -> Privilege Escalation to Administrator
Changeset

Prevent SOAP API auth bypass using cookie_string

Verify that the given cookie actually belongs to the user trying to
login, deny access if not.

Username comparison is performed case insensitively.

Fixes 0037121, GHSA-c2xg-qjqw-2v98

mod - api/soap/mc_api.php Diff File