From ${URL} : In MantisBT, the "Project Documentation" feature can be used to attach files to a project. When this feature is enabled ($g_enable_project_documentation = ON) and the threshold to view these files is left to its default value ($g_view_proj_doc_threshold = ANYBODY), any registered user in the system can download every such attachment, including those which are linked to private projects to which the user does not have access. This can be achieved by calling the download script directly, and specifying the ID of the file to download, e.g. http://example.com/mantis/file_download.php?file_id=123&type=doc Affected versions: - <= 1.2.19 - <= 1.3.0-beta.2 Fixed in versions: - 1.2.20 (not yet released) - 1.3.0-rc1 (not yet released) Patch: See Github [1] Credits: The issue was discovered by Werner Karl and fixed by Damien Regad (MantisBT Developer). References: Further details available in our issue tracker [2] Best regards, D. Regad MantisBT Developer http://www.mantisbt.org [1] http://github.com/mantisbt/mantisbt/commit/f39cf525 (1.2.x) http://github.com/mantisbt/mantisbt/commit/a4be76d6 (1.3.x) [2] https://mantisbt.org/bugs/view.php?id=19873 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
It has been some time since this Bug received an update. Since it is security related, bringing it up to the surface so it is not forgotten. Any updates?
It has been six months since the bug went in to the system. Please decide if interested in maintaining the package, or if you would like to remove it from tree.
Multiple vulnerabilities spread across 9 different bugs. No movement from maintainers in over a year.
Package removed