Tag: release

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.2

This security and maintenance release fixes vulnerabilities in Custom Fields management page (CVE-2021-33557) and in the PHPMailer library, as well as a PHP 8 compatibility issue.

• 0028803: [custom fields] PHP 8: “Bad Request” error on custom field filters (dregad)
• 0028821: [security] Update PHPMailer to 6.5.0 (dregad)
• 0028552: [security] CVE-2021-33557: XSS in manage_custom_field_edit_page.php (dregad)

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.1

This security and maintenance release fixes a couple of vulnerabilities in PHPMailer and Chart.js libraries, as well as a few other minor issues. All installations are strongly advised to upgrade as soon as possible.

• 0028084: [ui] Labels for email notifications in User Prefs page appear in bold (dregad)
• 0028082: [ui] Project Edit Page does not display check boxes (dregad)
• 0028076: [plug-ins] Bundled plugins 2.25.0: incorrect Mantis requirement (dregad)
• 0028080: [ui] Unsightly vertical offset of the “Update Prefs” and “Reset Prefs” buttons. (dregad)
• 0028106: [administration] Error removing project (dregad)
• 0028112: [ui] Incorrect spacing between icon and text on manage_user_edit_page.php (dregad)
• 0028529: [plug-ins] CVE-2020-7746: Vulnerability in the Chart.js library used by Graph Plugin (dregad)
• 0028530: [security] Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) (dregad)

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

MantisBT 2.24.5

Security and maintenance release, includes PHP 8.0 compatibility fixes.

• 0027976: [security] User cookie string is not reset upon logout (dregad)
• 0027800: [bugtracker] install.php throws SYSTEM WARNINGs (dregad)
• 0027826: [bugtracker] ERROR_CATEGORY_NOT_FOUND_FOR_PROJECT thrown for Category ‘0’ (dregad)
• 0027928: [custom fields] Unable to edit Issues having Date custom fields on PHP 8.0 (dregad)

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

MantisBT 2.24.4

Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues’ contents. All installations are strongly advised to upgrade as soon as possible.

This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.

• 0020690: [bugtracker] inconsistent UI for view bugnote revision (dregad)
• 0026794: [security] User Account – Takeover (dregad)
• 0027363: [security] Fixed in version can be changed to a version that doesn’t exist (dregad)
• 0027350: [security] When updating an issue, a Viewer user can be set as Reporter (dregad)
• 0027357: [security] Attacker can leak private information via different functionality (dregad)
• 0027728: [security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments (dregad)
• 0027727: [security] CVE-2020-29605: Disclosure of private issue summary (dregad)
• 0027726: [security] CVE-2020-29603: Disclosure of private project name (dregad)
• 0027361: [security] Private category can be access/used by a non member of a private project (IDOR) (dregad)
• 0027370: [security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary (dregad)
• 0027495: [security] CVE-2020-28413: SQL injection in the parameter “access” on the mc_project_get_users function throught the API SOAP. (dregad) 0027704: [javascript] Javascript error in View Issues page (dregad)
• 0027779: [security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls (dregad)
• 0027464: [printing] print_manage_user_sort_link Function Parameter Required after Optional (atrol)
• 0027465: [code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8 (atrol)
• 0027799: [bugtracker] Adapt Error handler to PHP 8 (dregad)
• 0027806: [bugtracker] Impossible to edit issues with PHP8 (dregad)
• 0027444: [security] Printing unsanitized user input in install.php (atrol)

Many thanks to randomdhiraj, ethicalhcop and d3vpoo1, for identifying and responsibly reporting these security issues.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.