MantisBT 1.2.16 Released

MantisBT 1.2.16 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

The following security issues were resolved:

  • Cross-site scripting (XSS) issue in account_sponsor_page.php, allowing a malicious user with project manager access to execute arbitrary JavaScript code (CVE-2013-4460). Affects MantisBT 1.1.0 and later.  Refer to issue #16513 for detailed information.
  • SQL injection attacks through the SOAP API’s mc_attachment_get() function (CVE-2014-1608). Affects MantisBT 1.1.0a4 and later.  Refer to issue #16879 for detailed information.
  • Additional cases of unsanitized SQL query parameters usage were identified, potentially allowing SQL injection attacks (CVE-2014-1609).  Refer to issue #16880 for detailed information.

This release also includes many bug fixes and enhancements to the tracker and the SOAP api, as well as updated translations in many languages.

See full changelog for more details and download from official site.