MantisBT 1.2.14 Released

MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

The following release notes are relative to 1.2.12 (rather than 1.2.13).

Four cross site scripting (XSS) vulnerability issues were discovered and resolved:

  • A malicious person could trick a target user’s browser into executing arbitrary JavaScript code (CVE-2013-0197). This vulnerability is critical, due to the affected page (search.php) being usable anonymously on public-facing installations (i.e. without the need for a user login).  Affects MantisBT 1.2.12 only (earlier versions are not impacted).  Refer to issue #15373 for detailed information.
  • A user holding manager/administrator permissions could create a category or project name containing JavaScript code; from that point on, visitors to (a) the Summary page (summary.php) as well as (b) the Configuration Report page (adm_config_report.php), are exposed to having the JavaScript execute within their browser environment. The severity of this issue is mitigated by the need to have a privileged account to modify category and project names. Issue (a) affects MantisBT version 1.2.12 and above, while (b) is on 1.2.13 only; earlier releases are not impacted.  Refer to issues #15384 (a) and #15415 (b) for detailed information.
  • An administrator could enter a configuration option containing javascript code, which would then be executed when displaying the Configuration Report page (adm_config_report.php). The severity of this issue is mitigated by the need to have a privileged account. Affects all MantisBT 1.2.x versions.  Refer to issue #15416 for detailed information.

A workflow-related security issue was also fixed:

  • A user with “Reporter” permissions can modify the workflow status of any issue to “New” even if they do not have the necessary privileges to make this change.  Refer to issue #15258 for detailed information.

In addition to the corrections for the above-mentioned security issues, this release also includes several bug fixes and enhancements:

  • improved Manage Configuration page (better performance, ability to filter and edit config options)
  • support for the built-in SOAP extension in addition to nusoap
  • updated translations in many languages

A full changelog for 1.2.14 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

This entry was posted in MantisBT. Bookmark the permalink.

One Response to MantisBT 1.2.14 Released

  1. Danu says:

    Hi,

    I newly created Mantis account via XAMPP (localhost). After that it asks user name and password. I clicked Signup for New Account. But after submission, it says the will send a confirmation email to confirm. Still it is localhost. No password. How to receive my username and password for localhost created Mantis account?

    How to get it?

    Please help me

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>