Bug: Assignee filter dropdown exposes member list to unauthorized users
108 °C
Bug #22

Assignee filter dropdown exposes member list to unauthorized users

Status: New
Priority:
High
Added by:
scot on April 30, '24
Assigned to:
Unassigned
Due date:
Reported for:
0.6.0

Steps to Reproduce

  1. Browse to https://app.betahub.io/projects/<project id>/issues
  2. Inspect the source of the 'Assignee' dropdown
  3. View a complete list of the project members

Explanation

Even if you are not authorized to view the members of a project via the member list of a project, the assignee filter drop down leaks the member list. It seems all assignees and their IDs are listed in the drop down. From there, a user can browse to https://app.betahub.io/profiles/<id> to gather more info about a given user.

Watchers
Watch
Screenshots

None

Video Clips

None

Log Files

None

Device

Device information is not visible to you

This project restricts device information visibility.
[ #1 ] over 1 year ago by
scot

I personally wouldn't classify this as high priority. User enumeration is one thing, but I don't believe there's a crazy amount of info to be gathered. Seems more like generally undesired behavior.
[ #2 ] over 1 year ago by
scot

ex from a project I'm in

Capture.PNG (52.7 KB)

You need to join this project to comment on issues. Join Project