MantisBT: master-2.25 840a4e80

Author Committer Branch Timestamp Parent
dregad dregad master-2.25 2023-01-06 20:16 master-2.25 d9464fe8
Affected Issues  0031086: CVE-2023-22476: Private issue summary disclosure
Changeset

Prevent disclosure of private issue summary

Insufficient access level checks allowed an attacker to display private
issues' summary via Group Actions (bug_actiongroup_ext.php).

Going through the provided list of issue IDs (bug_arr[]) and removing
any issues the user does not have access to, fixes the vulnerability.

Credits to d3vpoo1 (https://github.com/jrckmcsb) for reporting the issue.

Fixes 0031086, CVE-2023-22476

mod - bug_actiongroup_ext.php Diff File