Bug: Assignee filter dropdown exposes member list to unauthorized users
141 °C
Bug #22
Assignee filter dropdown exposes member list to unauthorized users
| Status: | Open |
| Priority: |
High |
| Added by: |
|
| Assigned to: |
Unassigned
|
| Due date: | |
| Reported for: |
Steps to Reproduce
- Browse to https://app.betahub.io/projects/<project id>/issues
- Inspect the source of the 'Assignee' dropdown
- View a complete list of the project members
Explanation
Even if you are not authorized to view the members of a project via the member list of a project, the assignee filter drop down leaks the member list.
It seems all assignees and their IDs are listed in the drop down. From there, a user can browse to https://app.betahub.io/profiles/<id> to gather more info about a given user.
Watchers
Screenshots
None
Video Clips
None
Log Files
None
Device
Device information is not visible to you
This project restricts device information visibility.
[ #1 ]
by
[ #2 ]
by
Loading comments...
Loading comments...
2 comments loaded
You need to join this project to comment on issues.
Join Project