View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027726 | mantisbt | security | public | 2020-12-07 13:25 | 2020-12-30 07:37 |
Reporter | d3vpoo1 | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 2.24.4 | Fixed in Version | 2.24.4 | ||
Summary | 0027726: CVE-2020-29603: Disclosure of private project name | ||||
Description | Any logged-in MantisBT user can retrieve Private Projects' names, without having access to them. | ||||
Steps To Reproduce |
| ||||
Additional Information | This vulnerability was originally reported by @d3vpoo1 in 0027357. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
MantisBT: master cff10f26 2020-12-06 07:39 Details Diff |
Avoid private project name disclosure When an unprivileged user tries to access a private project via manage_proj_edit_page.php, they receive an Access Denied as expected, but the project's name is leaked via the navbar's project selector. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting and providing an initial patch for this bug. Fixes 0027726, 0027357, CVE-2020-29603 |
Affected Issues 0027357, 0027726 |
|
mod - core/layout_api.php | Diff File |