CVE-2024-27630

An authenticated administrator of a group with a bug tracker can exploit this vulnerability. By crafting a request to `/bugs/index.php?func=delete_file` with a valid `item_id` from their own group and an arbitrary `file_id`, an attacker can delete file attachments from any bug tracker. Since file IDs increment sequentially, an attacker could script the deletion of all file attachments on the server [ref_id=1].

The vulnerability lies within the `trackers_data_delete_file` function, located in `frontend/php/include/trackers/data.php`. This function is called when the `func` parameter is set to `delete_file` in `frontend/php/bugs/index.php`, but only if the user is a tracker administrator (`$is_trackeradmin`). The function directly uses the provided `$file_id` in an `unlink` operation without sufficient validation.

The advisory recommends upgrading to Savane version 3.13 or higher. The patch, while not detailed in the provided information, is expected to introduce validation for the `file_id` parameter within the `trackers_data_delete_file` function to ensure it belongs to the specified group and item, thereby preventing arbitrary file deletion.