View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0024365 | mantisbt | security | public | 2018-04-25 13:02 | 2018-04-29 19:21 |
Reporter | dregad | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0 | ||||
Target Version | 1.3.15 | Fixed in Version | 1.3.15 | ||
Summary | 0024365: CVE-2018-9839: Private issues accessible to unauthorized users using the "Clone" functionality | ||||
Description | This is a clone of 0024221 for tracking in 1.3.x changelog | ||||
Tags | No tags attached. | ||||
MantisBT: master-1.3.x 5cbf97f4 2018-04-25 08:31 Details Diff |
Prevent cloning private issues by unauthorized users Using a crafted request on bug_report_page.php (modifying the 'm_id' parameter), any user with REPORTER access or above is able to view any private issue's details (summary, description, steps to reproduce, additional information) when cloning. By checking the 'Copy issue notes' and 'Copy attachments' checkboxes and completing the clone operation, this data also becomes public (except private notes). Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding. @atrol noted that the same vulnerability also existed in bug_report.php, although in this case the information disclosure is limited to notes and attachments (issue data itself does not become accessible). Added an access level check, so that the operation now fails with an Access Denied error in both cases. Backported from 1fbcd9bca2f2c77cb61624d36ddee4b3802c38ea Fixes 0024365, CVE-2018-9839 |
Affected Issues 0024365 |
|
mod - bug_report.php | Diff File | ||
mod - bug_report_page.php | Diff File |