CVE-2020-29605

描述

An issue was discovered in MantisBT before 2.24.4. Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary fields of private Issues via bug_arr[]= in a crafted bug_actiongroup_page.php URL. (The target Issues can have Private view status, or belong to a private Project.)

受影響套件(1)

• Packagist/mantisbt/mantisbtfrom 0, < 2.24.4

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-29605
• PATCHhttps://github.com/mantisbt/mantisbt
• WEBhttps://github.com/mantisbt/mantisbt/commit/9322c8c9f57fb72f3b8b033889a6a09c441d5be0
• WEBhttps://mantisbt.org/bugs/view.php?id=27357
• WEBhttps://mantisbt.org/bugs/view.php?id=27727