MantisBT 1.2.4 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are advised to upgrade to this release.
Gjoko Krstic of Zero Science Lab reported multiple vulnerabilities in the admin/upgrade_unattended.php script. Issue #12607 provides more detail on the vulnerabilities discovered. We thank Gjoko for his detailed assistance with testing, patching and answering questions. Please note that the /admin/ directory should be removed from all MantisBT installations after the installation or upgrade has been completed. This is particularly true for MantisBT installations accessible over the Internet.
Also included with 1.2.4 are some bug fixes relating to fonts in the MantisGraph plugin, SOAP API, CSV export, custom field values, relationship graphs, fields on the manage user page, built-in time tracking and the allow_reporter_close feature. This release includes updated translations for many languages and improved installation documentation in doc/INSTALL.
A full changelog for the 1.2.x series can be found on the official site:
The release is available for download at: