Service desk issues can be created in archived projects
HackerOne report #430437 by ashish_r_padelkar on 2018-10-29:
Summary:
Hello,
When you archive any public projects , the project becomes read only and no issues, comments etc can be created. However, if the project has service desk enabled, anybody can still create issues even when project is in archived state
Description: As per below description, it should not be possible for anyone to create any issues in archived projects. If project has service desk enabled, anybody can use an incoming email and can create issues in such projects
Steps To Reproduce:
- Archive any public project and use service desk feature (enabled by default in public projects)
- Now anybody who knows the project link can use service desk email and send email to this project and issue will be created!
#SuggestedFix Service desk issue should be denied when project is in archived state
Regards, Ashish
Impact
Anyone can create issues in archived projects
Attachments
Warning: Attachments received through HackerOne, please exercise caution!