0030922: Browser extensions may trigger automatic bug monitoring - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0030922	mantisbt	bugtracker	public	2022-08-24 17:20	2023-02-22 19:21

Reporter	ChrisG	Assigned To	community
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Target Version	2.25.6	Fixed in Version	2.25.6

Summary	0030922: Browser extensions may trigger automatic bug monitoring
Description	Browsers/extensions may pre-load any GET URL, including from forms. GET is specified as read-only. However, the monitoring form submits via GET. If you don't fill in a username, it monitors under the current logged in user - i.e. it needs no input. Some users may therefore automatically monitor any bug they view.
Additional Information	Pull request is here https://github.com/mantisbt/mantisbt/pull/1842
Tags	No tags attached.

MantisBT: master-2.25 94520849 2022-08-11 14:50 ChrisG Committer: dregad Details Diff	Form should be a POST not a GET Using GET in Bug Monitor Add form on view.php, may cause bugs viewed by user to be auto-monitored because browsers/extensions may pre-load any GET URL, including from forms; GET is specified as read-only. Fixes 0030922, PR https://github.com/mantisbt/mantisbt/pull/1842 Signed-off-by: Damien Regad <dregad@mantisbt.org> Changes to original submission: improved commit message		Affected Issues 0030922
	mod - bug_view_inc.php		Diff File