View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0027370||mantisbt||security||public||2020-10-02 03:29||2020-12-30 07:37|
|Target Version||2.24.4||Fixed in Version||2.24.4|
|Summary||0027370: CVE-2020-35849: Revisions allow viewing private bugnotes id and summary|
I recheck my old reports/issue and I observe that in default MantisBT instance the developer can only edit the revision
Note : I create a new instance of MantisBT again to prevent/stop my old configuration
This is almost the same as the report that I submitted before however this one disclose the
|Steps To Reproduce|
I ran diff on default config file and to my testing config file and no result produce
|Tags||No tags attached.|
Hi ! After observing this and comparing to my last report, this only allows the attacker to disclose the summary and not the bug note. This is not duplicate issue of previous report because this can be found on different endpoint.. I get confused I thought the one that I disclose is the
When you refer to "my last report", considering you have reported more than 10 of them, I guess you mean 0027039 ?
I forgot which issue but I guess I refer it to https://mantisbt.org/bugs/view.php?id=27357
While working on the fix for this issue, I realized that low-privileged users can view the revisions when accessing bug_revision_view_page.php directly, but they are not shown the View Revisions link on bugnote page, because the ability to view bugnote revisions is driven by private_bugnote_threshold config.
This inconsistency was previously reported in 0020690, so now is a good time to fix this.
That one was a bit more complex to fix than I had anticipated...
Is this one getting a CVE?
CVE-2020-35849 assigned via request 1007235
MantisBT: master e9fd168c
2020-12-06 10:32:42Details Diff
|Deny access to revisions if not authorized
If user is not allowed to view a revisions' parent bug or bugnote,
bug_revision_view_page.php now shows an Access Denied error, instead
of showing the bug Id and Summary (information disclosure).
|mod - bug_revision_view_page.php||Diff File|