From: David H. <d...@hx...> - 2013-01-19 00:41:36
|
FYI Thanks Damien -------- Forwarded Message -------- > From: David Hicks <d...@hx...> > Reply-to: oss...@li... > To: oss...@li... > Cc: Damien Regad <dam...@me...> > Subject: [oss-security] CVE request: MantisBT before 1.2.13 "Change > Status To" feature allows unauthorised workflow changes > Date: Sat, 19 Jan 2013 11:35:06 +1100 > > Hello again list, > > Damien Regad (MantisBT developer) discovered and fixed[1] an access > control/permissions bug in MantisBT that exists in MantisBT version > 1.2.12 and prior. > > A MantisBT user with "Reporter" permissions (enabling them to > report/create new issues) can modify the workflow status of any issue to > "New" even if they do not have the necessary permission to make this > change. > > Details of the bug, including steps to reproduce and patches are > available at [1]. > > References: > [1] http://www.mantisbt.org/bugs/view.php?id=15258 > > As per previous e-mails to this list within the past 24 hours, MantisBT > 1.2.13 is expected to be released early next week. > > Can a CVE ID please be assigned to this issue? > > With thanks, > David Hicks > MantisBT Developer > #mantisbt irc.freenode.net > http://www.mantisbt.org/bugs/ > > Bcc: man...@li... |