0014704: CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0014704	mantisbt	security	public	2012-09-11 14:37	2014-09-23 18:05

Reporter	szwagier44	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.9
Target Version	1.2.12	Fixed in Version	1.2.12

Summary	0014704: CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access
Description	Clone and Move issue with Copy bug notes - user get email notice from project without access Mantis configuration: I've got two projects: ProjectA ProjectB I've got two user: UserA, who has access only to ProjectA Manager, who has access to ProjectA and ProjectB Steps: Some user report Issue to ProjectA - IssueA UserA add note to IssueA Manager Clone IssueA with option "Copy bug notes" and get new issue - IssueB Manager move IssueB from ProjectA to ProjectB Manager add new notes to IssueB Bug: Now any action on IssueB eg. add notes, change status causes send email notice to UserA from IssueB. UserA don't have access to IssueB by can read whole history and any notes from email body.
Tags	No tags attached.

dregad 2012-09-12 04:54 developer ~0032821	Good catch. Until a fix for this can be developed, I can only suggest as a workaround to uncheck "E-mail on Note Added" for "Users who added Issue Notes" in Manage E-mail notifications page.

dregad 2012-09-12 12:01 developer ~0032822	The email_collect_recipients api function should check that each recipient has access to the bug.

szwagier44 2012-09-18 05:50 reporter ~0032855	I've just checked your fix on version 1.2.9 and everything seems to be okey.

dregad 2012-09-18 06:01 developer ~0032856	Thanks for your feedback.

dregad 2013-03-04 11:22 developer ~0035370	CVE-2012-5523 assigned on oss-security mailing list on 2012-11-14

grangeway 2013-04-05 17:56 reporter ~0036082	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

MantisBT: master-1.2.x 2cc83ca9 2012-09-12 04:48 dregad Details Diff	Don't send email notices for a bug to which users have no access Prior to this, users without viewer access to a bug could potentially receive email notifications for it. This could happen in case of permissions changes, or if an issue is moved to another project with different access rights. Added an access level check to exclude users who don't have at least VIEWER privilege to the bug. Fixes 0014704	Affected Issues 0014704
	mod - core/email_api.php	Diff File
MantisBT: master 2d815440 2012-09-12 04:48 dregad Details Diff	Don't send email notices for a bug to which users have no access Prior to this, users without viewer access to a bug could potentially receive email notifications for it. This could happen in case of permissions changes, or if an issue is moved to another project with different access rights. Added an access level check to exclude users who don't have at least VIEWER privilege to the bug. Fixes 0014704	Affected Issues 0014704
	mod - core/email_api.php	Diff File