View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027350 | mantisbt | security | public | 2020-09-26 05:30 | 2020-12-30 07:37 |
Reporter | d3vpoo1 | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Windows | OS | Windows | OS Version | Windows10 |
Product Version | 2.24.3 | ||||
Target Version | 2.24.4 | Fixed in Version | 2.24.4 | ||
Summary | 0027350: When updating an issue, a Viewer user can be set as Reporter | ||||
Description | This is the same on my old report (If I am correct) however this allows the admin to set the reporter to viewer role This can be found on | ||||
Steps To Reproduce |
Request
Response
Exploit
Exploit request
Exploit response
| ||||
Additional Information | I try to edit the In case you need a PoC, please mention it(I can't upload any attachment right now due to internet issues..) | ||||
Tags | No tags attached. | ||||
Hi ! Any possible update here and to other tickets? |
|
Problem is confirmed. An extra sanity check will be added to Bug Update page to prevent this scenario. |
|
Thank you for the update.. and apologize again for extra work for 2.4.x version.. |
|
Thanks for your patience, and sorry it took me so long to get around to this. |
|
Greetings! Thank you for the experience and for the CVE's, as I promised this batch of reports will be my last issues/submissions (including on the Github issues). The whole experience is fun and I learned a lot on this open source, on this one I read the documentation, search a lot of different implementation (for addons), use Git for Integration and even I write my first exploit... In the near future I would like to test this one again and even recommend this platform... Once again thank you so much and apologize for the extra work... |
|
MantisBT: master 06524d75 2020-11-21 23:25 Details Diff |
Ensure given Reporter is allowed to report issues When updating an issue, if the user specified as reporter does not have sufficient access level to report issues, throw an error. Fixes 0027350 |
Affected Issues 0027350 |
|
mod - bug_update.php | Diff File | ||
MantisBT: master a528b607 2020-12-05 13:22 Details Diff |
Allow bug update if original reporter missing Adding validation on reporter id caused Mantis to trigger error and prevent bug update, when editing a bug and the user who reported it no longer exists. Issue 0027350 |
Affected Issues 0027350 |
|
mod - bug_update.php | Diff File |