Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Prevent disclosure of private issue summary
Insufficient access level checks allowed an attacker to display private issues' summary via Group Actions (bug_actiongroup_page.php). Going through the provided list of issue IDs (bug_arr[]) and removing any issues the user does not have access to, fixes the vulnerability. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting the issue. Fixes #27727, #27357, CVE-2020-29605
- Loading branch information