Update – this release was pulled out shortly after release since we figured an introduced bug where the View Issues page consumes significantly more memory for instances with large numbers of users (order 10k+). We are planning to release 1.2.14 shortly.
MantisBT 1.2.13 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.
Two cross site scripting (XSS) vulnerability issues affecting MantisBT 1.2.12 only (earlier versions are not impacted) were discovered:
A workflow-related security issue was also fixed:
- CVE-2013-XXXX: a user with “Reporter” permissions can modify the workflow status of any issue to “New” even if they do not have the necessary privileges to make this change. Refer to issue #15258 for detailed information.
In addition to the corrections for the above-mentioned security issues, this release also includes several bug fixes and enhancements:
- Improved Manage Configuration page (better performance, ability to filter and edit config options)
- Support for the built-in SOAP extension in addition to nusoap
A full changelog for 1.2.13 can be found at here.