| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0036503 | mantisbt | bugtracker | public | 2025-10-16 12:38 | 2025-10-20 11:50 |
| Reporter | d3vpoo1 | Assigned To | dregad | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | assigned | Resolution | open | ||
| Product Version | 2.27.1 | ||||
| Target Version | 2.27.2 | ||||
| Summary | 0036503: Ability to change the default project of a user | ||||
| Description | Hi, The endpoint http://localhost/mantisbt/bug_report_page.php allows a user to modify the default project displayed on the tracker. During testing, I noticed that a private project can be set as the default project, but it only reflects on the admin side. | ||||
| Steps To Reproduce |
| ||||
| Tags | No tags attached. | ||||
 |
I confirm the behavior. It should not be possible to change the default to a project the user does not have access to. However, I cannot find any way to actually exploit this. It only creates an annoyance to the user, who will get an error (ERR_TOO_MANY_REDIRECTS) if they try to access bug_report_page.php while the current project is ALL_PROJECTS. |
|
|
@d3vpoo1, I have not been able to change the default project for another user, only for the currently logged in user. In ~70569 you implied that it was possible (I can modify the default project of other user), did I miss something ? As it stands, I would not qualify this as a security issue - just an insufficient access check with no real consequences. I don't think it's worth a CVE. |
|
|
|
 |
Hi @dregad, Thanks on this. I see, no issue with that one. Btw is it ok to hide / set the 0036502:0070569 to private? |
|
|
It's possible, but why ? I don't see any confidential info there. |
