GHSA-4vpf-w7qv-5h3q
MantisBT: Injection of TIME_TRACKING and REMINDER Notes via REST and SOAP APIs
Details
Unvalidated note_type Parameter in mc_issue_update SOAP Endpoint Allows creation of TIME_TRACKING and REMINDER Notes. The SOAP path passes the user-supplied note_type integer directly to bugnote_add() without validating that the user is authorized to create that type of note. If the user's access level is higher than *$g_time_tracking_view_threshold*, they can also inject arbitrary hours into billing reports.
REST API also allows injection of TIME_TRACKING notes (but not REMINDER) through the same mc_issue_update() function.
### Impact An attacker with UPDATER access could: - Inject fake billable hours via TIME_TRACKING notes (note_type=2), corrupting billing data exported through MantisBT's billing reports. Organizations that bill clients based on MantisBT time tracking data would generate incorrect invoices, and corrupt time tracking reports could be used to drive project management decisions. - Fake REMINDER notes registered (but without actual sending of notifications).
### Patches - https://github.com/mantisbt/mantisbt/commit/de2f71fd88746e963386c214c3ae65a3c4c851b7
### Workarounds None
### Resources - https://mantisbt.org/bugs/view.php?id=37081 - https://mantisbt.org/bugs/view.php?id=37200
### Credits Thanks to the following security researchers for discovering and responsibly reporting the issue - Vishal Shukla - Psalms Christopher Matovu (@byteoverride)
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 2.28.4 composer require mantisbt/mantisbt:^2.28.4 References
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4vpf-w7qv-5h3q [WEB]
- https://github.com/mantisbt/mantisbt/commit/de2f71fd88746e963386c214c3ae65a3c4c851b7 [WEB]
- https://github.com/mantisbt/mantisbt [PACKAGE]
- https://mantisbt.org/bugs/view.php?id=37081 [WEB]
- https://mantisbt.org/bugs/view.php?id=37200 [WEB]