Defect #10390

Mass assignment security vulnerability

Added by John Yani about 8 years ago. Updated about 8 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Code cleanup/refactoring
Target version:1.3.2
Resolution:Fixed Affected version:

Description

There are many security vulnerabilities in Redmine. Some are not dangerous (such as setting created_on and updated_on fields). Some are (posting news to the project you're not allowed to).

Associated revisions

Revision 9129
Added by Jean-Philippe Lang about 8 years ago

Prevent mass-assignment when adding a news comment (#10390).

Revision 9130
Added by Jean-Philippe Lang about 8 years ago

Prevent mass-assignment when adding/updating a document (#10390).

Revision 9131
Added by Jean-Philippe Lang about 8 years ago

Prevent mass-assignment when adding/updating an issue category (#10390).

Revision 9132
Added by Jean-Philippe Lang about 8 years ago

Prevent mass-assignment when adding a project member (#10390).

Revision 9133
Added by Jean-Philippe Lang about 8 years ago

Prevent mass-assignment when adding/updating a forum message (#10390).

Revision 9134
Added by Jean-Philippe Lang about 8 years ago

Prevent mass-assignment when adding/updating a news (#10390).

Revision 9136
Added by Jean-Philippe Lang about 8 years ago

Prevent mass-assignment when adding/updating a time entry (#10390).

Revision 9137
Added by Jean-Philippe Lang about 8 years ago

Prevent mass-assignment when adding/updating a version (#10390).

Revision 9138
Added by Jean-Philippe Lang about 8 years ago

Prevent mass-assignment when adding/updating a wiki (#10390).

Revision 9139
Added by Jean-Philippe Lang about 8 years ago

Set user_id as a protected attribute (#10390).

Revision 9140
Added by Jean-Philippe Lang about 8 years ago

Prevent mass-assignment when adding/updating a forum (#10390).

History

#2 Updated by Jean-Philippe Lang about 8 years ago

All actions for non-admin users should now be fixed.

#3 Updated by Jean-Philippe Lang about 8 years ago

  • Category set to Code cleanup/refactoring
  • Status changed from New to Closed
  • Target version set to 1.3.2
  • Resolution set to Fixed

Please next time submit security issues to security at redmine dot org as requested on SubmittingBugs.

Also available in: Atom PDF