View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0027268||mantisbt||security||public||2020-09-09 20:43||2020-11-05 11:33|
|Platform||Windows||OS||Windows||OS Version||Windows 10|
|Target Version||2.24.3||Fixed in Version||2.24.3|
|Summary||0027268: Admin can get issues assigned to users not allowed to handle them|
The endpoint : http://<HOST>/manage_proj_cat_edit_page.php?id=1&project_id=1 allows the admin to set the "assigned" to non-admin/non manager via assigned_to parameter
|Steps To Reproduce|
EDIT (dregad): Moved HTML of success page to attachment.
In images the default selection are just admin/manager
|Tags||No tags attached.|
Bug confirmed, thanks for the report.
Are you guys assigning CVE for this one?
Considering it's a rather minor bug without significant consequences (being an issue's handler does not give that user any special access to the issue), I was not planning to, no.
MantisBT: master-2.24 dd86c9c0
2020-09-20 10:24:12Details Diff
|Prevent assignment of categories to non-handler users
manage_proj_cat_update.php did not perform the necessary checks on the
provided user id (assigned_to parameter), allowing users with an access
level below handle_bug_threshold to be assigned to a category, and
subsequently to bugs created in that category.
Also added a check to ensure the provided user id is valid.
As suggested by @atrol, the checks are performed in Category API.
|mod - core/category_api.php||Diff File|