View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0027727mantisbtsecuritypublic2020-12-07 13:482022-10-08 09:04
Reporterd3vpoo1 Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Target Version2.24.4Fixed in Version2.24.4 
Summary0027727: CVE-2020-29605: Disclosure of private issue summary
Description

Due to insufficient access level checks, any user allowed to perform Group Actions can get access to private Issues' Summary, using a crafted bug_actiongroup_page.php URL. Target Issues can be marked as private, or belong to a private Project.

Steps To Reproduce
  1. Login as unprivileged user (tested successfully with a VIEWER account)
  2. Go to http://path.to/mantisbt/bug_actiongroup_page.php?action=COPY&bug_arr[]=PRIVATE_ISSUE_ID
  3. Behold the private issue's Summary in the list of selected issues
Additional Information

This vulnerability was originally reported by @d3vpoo1 in 0027357.

TagsNo tags attached.

Relationships

related to 0027728 closeddregad CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments 
related to 0031086 closeddregad CVE-2023-22476: Private issue summary disclosure 
child of 0027357 closeddregad Attacker can leak private information via different functionality 

Activities

dregad

dregad

2020-12-07 17:59

developer   ~0064770

Last edited: 2020-12-07 18:05

CVE Request 997513 for CVE ID Request -- CVE-2020-29605 assigned

Related Changesets

MantisBT: master 12a9dcbb

2020-12-06 13:08

dregad


Details Diff		 Prevent disclosure of private issue summary

Insufficient access level checks allowed an attacker to display private
issues' summary via Group Actions (bug_actiongroup_page.php).

Going through the provided list of issue IDs (bug_arr[]) and removing
any issues the user does not have access to, fixes the vulnerability.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting the issue.

Fixes 0027727, 0027357, CVE-2020-29605		 Affected Issues
0027357, 0027727
mod - bug_actiongroup_page.php Diff File

MantisBT: master 9322c8c9

2020-12-29 05:02

dregad


Details Diff		 Per-project cache of view_bug_threshold

As suggested by @vboctor during review, the threshold can be different
in each project, so we need to check them individually.

Fixes 0027727		 Affected Issues
0027727
mod - bug_actiongroup_page.php Diff File