Bug: Assignee filter dropdown exposes member list to unauthorized users
16 °C
Bug #22

Assignee filter dropdown exposes member list to unauthorized users

Status: New
Priority:
High
Added by:
scot on April 30, '24
Assigned to:
Due date:
Reported for: 0.6.0

Steps to Reproduce

  1. Browse to https://app.betahub.io/projects/<project id>/issues
  2. Inspect the source of the 'Assignee' dropdown
  3. View a complete list of the project members

Explanation

Even if you are not authorized to view the members of a project via the member list of a project, the assignee filter drop down leaks the member list.
It seems all assignees and their IDs are listed in the drop down. From there, a user can browse to https://app.betahub.io/profiles/&lt;id> to gather more info about a given user.

Screenshots

None

Video Clips

None

Log Files

None

Device
Device Type: PC
Cpu model: Ryzen 9 7900X
Cpu brand: AMD
Gpu model: GeForce RTX 3060 Ti
Gpu brand: NVIDIA
Memory: 64 GB
Operating system: Windows 10
[ #1 ] 5 months ago by
scot

I personally wouldn't classify this as high priority. User enumeration is one thing, but I don't believe there's a crazy amount of info to be gathered.
Seems more like generally undesired behavior.

[ #2 ] 5 months ago by
scot

ex from a project I'm in

Capture.PNG (52.7 KB)

You must be a member of this project to comment.