View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027262 | mantisbt | security | public | 2020-09-08 22:50 | 2020-12-30 08:33 |
Reporter | d3vpoo1 | Assigned To | dregad | ||
Priority | high | Severity | minor | Reproducibility | always |
Status | closed | Resolution | duplicate | ||
Platform | Windows | OS | Windows | OS Version | Windows 10 |
Product Version | 2.24.2 | ||||
Summary | 0027262: Private files can be downloaded by attacker | ||||
Description | Though this issue seems to be a functionality, the attacker can abuse this and view/download the private files due to guessable id (increment_id) | ||||
Steps To Reproduce |
| ||||
Additional Information | I test this issue with viewer permission and it seems that it validates the endpoint.. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||