0034434: CVE-2024-34080: Don't hyperlink references to notes whose issues are not accessible to user

ID	Project	Category	View Status	Date Submitted	Last Update
0034434	mantisbt	security	public	2024-05-05 15:51	2024-05-12 12:34

Reporter	vboctor	Assigned To	vboctor
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.26.1
Target Version	2.26.2	Fixed in Version	2.26.2

Summary	0034434: CVE-2024-34080: Don't hyperlink references to notes whose issues are not accessible to user
Description	If an issue references another issue that the user doesn't have access to, then it doesn't get hyperlinked. If an issue references a private note that the user can't view, then it doesn't get hyperlinked. However, if an issue references a note that belongs to an issue that the user doesn't have access to, then it gets hyperlinked. Clicking on the link gives an access denied, however, the link, link label, and tooltip are available. The information disclosed is: note author name note creation timestamp issue id the note belongs to. existence of the note.
Additional Information	https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q
Tags	No tags attached.

vboctor 2024-05-05 16:12 manager ~0068890	PR: https://github.com/mantisbt/mantisbt/pull/2000

dregad 2024-05-05 18:30 developer ~0068891 Last edited: 2024-05-05 18:30	@vboctor I suppose you created this as a private issue due to the information disclosure aspect of the bug ? If that is the case, then why are you creating a regular Github pull request, which is publicly accessible ? And is that the reason why you labelled it "refactoring" (it's not)... Being a security issue, we need a CVE ID for it. This is easily done by opening an Advisory (for future reference: https://github.com/mantisbt/mantisbt/security/advisories/new), which also gives us the possibility to create a private fork that can be used to work on the patch without disclosing anything until we're ready to publish it. I have opened GHSA-99jc-wqmr-ff2q.

dregad 2024-05-06 10:45 developer ~0068903	CVE-2024-34080 assigned

MantisBT: master-2.26 0a505623 2024-05-05 15:54 vboctor Committer: dregad Details Diff	Fix access level check for note links Fixes 0034434		Affected Issues 0034434
	mod - core/string_api.php		Diff File