MantisBT 1.2.13 Released

This release was pulled out shortly after go live, since we discovered it introduced a bug causing the View Issues page to consume significantly more memory for instances with large numbers of users (order 10k+).  MantisBT 1.2.14 fixes this issue and was released on January 30th, 2013.

MantisBT 1.2.13 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

Two cross site scripting (XSS) vulnerability issues affecting MantisBT 1.2.12 only (earlier versions are not impacted) were discovered:

  • CVE-2013-0197: a malicious person could trick the browser of a target user into executing arbitrary JavaScript code. This vulnerability is particularly wide-reaching due to the affected page (search.php) being usable anonymously on public-facing installations (i.e. no user login required).  Refer to issue #15373 for detailed information.
  • CVE-2013-XXXX: A user holding manager/administrator permissions could create a category or project name containing JavaScript code; from that point on,  visitors to the Summary page (summary.php) are exposed to having the JavaScript execute within their browser environment. The severity of this issue is mitigated by the need to have a privileged account to modify category and project names.  Refer to issue #15384 for detailed information.

A workflow-related security issue was also fixed:

  • CVE-2013-XXXX: a user with “Reporter” permissions can modify the workflow status of any issue to “New” even if they do not have the necessary privileges to make this change.  Refer to issue #15258 for detailed information.

In addition to the corrections for the above-mentioned security issues, this release also includes several bug fixes and enhancements:

  • Improved Manage Configuration page (better performance, ability to filter and edit config options)
  • Support for the built-in SOAP extension in addition to nusoap

A full changelog for 1.2.13 can be found at here.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

One thought on “MantisBT 1.2.13 Released”

Comments are closed.