MantisBT 1.2.16 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.
The following security issues were resolved:
- SQL injection attacks through the SOAP API’s mc_attachment_get() function (CVE-2014-1608). Affects MantisBT 1.1.0a4 and later. Refer to issue #16879 for detailed information.
- Additional cases of unsanitized SQL query parameters usage were identified, potentially allowing SQL injection attacks (CVE-2014-1609). Refer to issue #16880 for detailed information.
This release also includes many bug fixes and enhancements to the tracker and the SOAP api, as well as updated translations in many languages.