Defect #10390
Mass assignment security vulnerability
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Code cleanup/refactoring | |||
| Target version: | 1.3.2 | |||
| Resolution: | Fixed | Affected version: |
Description
There are many security vulnerabilities in Redmine. Some are not dangerous (such as setting created_on and updated_on fields). Some are (posting news to the project you're not allowed to).
Associated revisions
Prevent mass-assignment when adding a news comment (#10390).
Prevent mass-assignment when adding/updating a document (#10390).
Prevent mass-assignment when adding/updating an issue category (#10390).
Prevent mass-assignment when adding a project member (#10390).
Prevent mass-assignment when adding/updating a forum message (#10390).
Prevent mass-assignment when adding/updating a news (#10390).
Prevent mass-assignment when adding/updating a time entry (#10390).
Prevent mass-assignment when adding/updating a version (#10390).
Prevent mass-assignment when adding/updating a wiki (#10390).
Set user_id as a protected attribute (#10390).
Prevent mass-assignment when adding/updating a forum (#10390).
History
#1
Updated by John Yani over 10 years ago
#2
Updated by Jean-Philippe Lang over 10 years ago
All actions for non-admin users should now be fixed.
#3
Updated by Jean-Philippe Lang over 10 years ago
- Category set to Code cleanup/refactoring
- Status changed from New to Closed
- Target version set to 1.3.2
- Resolution set to Fixed
Please next time submit security issues to security at redmine dot org as requested on SubmittingBugs.