MantisBT CVE-2012-1122 Fix: Incorrect Access Check When Moving Bugs Between Projects

Key Vulnerability Information Summary Vulnerability ID: 0013748 Project: mantisbt Category: security Priority: normal Severity: minor Status: closed Resolution: fixed Reproducibility: always Product Version: 1.2.8 Target Version: 1.2.9 Fixed Version: 1.2.9 Vulnerability Description When a user attempts to move an issue from project A to project B, if the user’s current access level in project A is below the , the system denies the move, even though the user should have permission to move the issue (i.e., they have in project A and in project B). Reproduction Steps 1. Set the for project A to 100 (NOBODY). 2. Select a bug in project A. 3. Attempt to move it to project B. Error Message "You did not have appropriate permissions to perform that action" is displayed. Key Activity Log 2012-01-09: dregad pointed out that the access check in was incorrect and should validate the user’s permission in the target project (not the current project). 2012-03-06: The issue was assigned CVE identifier CVE-2012-1122, described as performing incorrect access checks when moving bugs between projects. 2013-04-05: grangeway marked the issue as 'confirmed' unresolved/closed and tracked the fix porting to the master-2.0.x branch. Related Changesets MantisBT: master 0da3f7ac Fix for moving bugs with access level below report_bug_threshold MantisBT: master-1.2.x 64af3ef8 Fix for moving bugs with access level below report_bug_threshold

Goal Reached Thanks to every supporter — we hit 100%!

MantisBT CVE-2012-1122 Fix: Incorrect Access Check When Moving Bugs Between Projects