View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027361 | mantisbt | security | public | 2020-09-27 16:45 | 2021-01-21 03:48 |
Reporter | d3vpoo1 | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Windows | OS | Windows | OS Version | Windows 10 |
Target Version | 2.24.4 | Fixed in Version | 2.24.4 | ||
Summary | 0027361: Private category can be access/used by a non member of a private project (IDOR) | ||||
Description | This is almost the same on my previous report however this can be trigger on submitting issues . this can be found on | ||||
Steps To Reproduce |
| ||||
Additional Information | I will add some stuffs here if I found other issues here (on this endpoint but different parameter) | ||||
Tags | No tags attached. | ||||
Bug is confirmed. An additional check is needed, to ensure that the category is available in the current project hierarchy. |
|
Out of topic : How you request a CVE ID ? I Found an issue on other software.. I already submit one but they don't reply for almost a month or two..... |
|
|
|
Original report only mentioned that the problem existed in bug_report.php, but in fact it is also present in bug_update.php. |
|
MantisBT: master a4c4865b 2020-11-22 07:54 Details Diff |
Prevent setting category not belonging to project When retrieving a category for a given project, make sure that it is available in the project's hierarchy, taking inheritance into account. Fixes 0027361 |
Affected Issues 0027361, 0027826 |
|
mod - api/soap/mc_api.php | Diff File | ||
MantisBT: master 889c8d24 2020-12-13 07:06 Details Diff |
New API to check category existence within project Added 2 new functions in Category API: category_exists_in_project() and category_ensure_exists_in_project. Improve PHPDoc for category_exists() and category_ensure_exists() to clearly indicate that they check for a category's existence globally, unlike the new functions. Issue 0027361 |
Affected Issues 0027361, 0027826 |
|
mod - api/soap/mc_api.php | Diff File | ||
mod - core/category_api.php | Diff File | ||
MantisBT: master 5376d2a2 2020-12-13 07:08 Details Diff |
Prevent setting category not belonging to project When retrieving a category for a given project, make sure that it is available in the project's hierarchy, taking inheritance into account. This is a follow-up on commit b77859901050b558bfcd28050cff1599d60e45fa which only covered bug_report.php, when in fact the same problem was also present in bug_update.php. Fixes 0027361 |
Affected Issues 0027361 |
|
mod - bug_update.php | Diff File | ||
MantisBT: master-2.24 074b3f5d 2021-01-01 06:19 Details Diff |
Fix "Category 0 not found" when reporting new issue By definition, category "0" (no category) does not exist in any project, but when empty category is allowed ($g_allow_no_category = ON), category_exists_in_project() should return true. Regression introduced by a4c4865b2102c2c0bfc53692499514db0b744dc9 in issue 0027361. Fixes 0027826 |
Affected Issues 0027361, 0027826 |
|
mod - core/category_api.php | Diff File |