View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014704 | mantisbt | security | public | 2012-09-11 14:37 | 2014-09-23 18:05 |
Reporter | szwagier44 | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.9 | ||||
Target Version | 1.2.12 | Fixed in Version | 1.2.12 | ||
Summary | 0014704: CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access | ||||
Description | Clone and Move issue with Copy bug notes - user get email notice from project without access Mantis configuration:
I've got two user:
Steps:
Bug: | ||||
Tags | No tags attached. | ||||
Good catch. Until a fix for this can be developed, I can only suggest as a workaround to uncheck "E-mail on Note Added" for "Users who added Issue Notes" in Manage E-mail notifications page. |
|
The email_collect_recipients api function should check that each recipient has access to the bug. |
|
I've just checked your fix on version 1.2.9 and everything seems to be okey. |
|
Thanks for your feedback. |
|
CVE-2012-5523 assigned on oss-security mailing list on 2012-11-14 |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master-1.2.x 2cc83ca9 2012-09-12 04:48 Details Diff |
Don't send email notices for a bug to which users have no access Prior to this, users without viewer access to a bug could potentially receive email notifications for it. This could happen in case of permissions changes, or if an issue is moved to another project with different access rights. Added an access level check to exclude users who don't have at least VIEWER privilege to the bug. Fixes 0014704 |
Affected Issues 0014704 |
|
mod - core/email_api.php | Diff File | ||
MantisBT: master 2d815440 2012-09-12 04:48 Details Diff |
Don't send email notices for a bug to which users have no access Prior to this, users without viewer access to a bug could potentially receive email notifications for it. This could happen in case of permissions changes, or if an issue is moved to another project with different access rights. Added an access level check to exclude users who don't have at least VIEWER privilege to the bug. Fixes 0014704 |
Affected Issues 0014704 |
|
mod - core/email_api.php | Diff File |