View Issue Details

IDProjectCategoryView StatusLast Update
0027727mantisbtsecuritypublic2020-12-30 07:37
Reporterd3vpoo1 Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Target Version2.24.4Fixed in Version2.24.4 
Summary0027727: CVE-2020-29605: Disclosure of private issue summary
Description

Due to insufficient access level checks, any user allowed to perform Group Actions can get access to private Issues' Summary, using a crafted bug_actiongroup_page.php URL. Target Issues can be marked as private, or belong to a private Project.

Steps To Reproduce
  1. Login as unprivileged user (tested successfully with a VIEWER account)
  2. Go to http://path.to/mantisbt/bug_actiongroup_page.php?action=COPY&bug_arr[]=PRIVATE_ISSUE_ID
  3. Behold the private issue's Summary in the list of selected issues
Additional Information

This vulnerability was originally reported by @d3vpoo1 in 0027357.

TagsNo tags attached.

Relationships

related to 0027728 closeddregad CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments 
child of 0027357 closeddregad Attacker can leak private information via different functionality 

Activities

dregad

dregad

2020-12-07 17:59

developer   ~0064770

Last edited: 2020-12-07 18:05

CVE Request 997513 for CVE ID Request -- CVE-2020-29605 assigned

Related Changesets

MantisBT: master 12a9dcbb

2020-12-06 18:08:56

dregad

Details Diff
Prevent disclosure of private issue summary

Insufficient access level checks allowed an attacker to display private
issues' summary via Group Actions (bug_actiongroup_page.php).

Going through the provided list of issue IDs (bug_arr[]) and removing
any issues the user does not have access to, fixes the vulnerability.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting the issue.

Fixes 0027727, 0027357, CVE-2020-29605
Affected Issues
0027357, 0027727
mod - bug_actiongroup_page.php Diff File

MantisBT: master 9322c8c9

2020-12-29 10:02:13

dregad

Details Diff
Per-project cache of view_bug_threshold

As suggested by @vboctor during review, the threshold can be different
in each project, so we need to check them individually.

Fixes 0027727
Affected Issues
0027727
mod - bug_actiongroup_page.php Diff File