MantisBT 1.2.15 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.
- 0015573: [security] CVE-2013-1883: One query can be issued via current Mantis interface to take down site (dregad) - closed. - 0002971: [bugtracker] Reminders are not added to bug history (dregad) - closed. - 0015470: [bugtracker] Reminders recipient list is truncated (dregad) - closed. - 0010047: [documentation] Adding new statuses section is missing a step (dregad) - closed. - 0010118: [documentation] lang_get_current() returns wrong language if $g_default_language overwritten (dregad) - closed. - 0010372: [feature] Don't allow reminders to be sent if the user doesn't have an email address specificed (dregad) - closed. - 0013054: [installation] Installer displays a blank page if core.php encounters a critical error (dregad) - closed. - 0015357: [bugtracker] uninitialized library path (dregad) - closed. - 0015471: [bugtracker] bug_reminder.php does not handle unsent reminders (dregad) - closed. - 0015472: [bugtracker] email_bug_reminder() API's return array is always full list of recipients (dregad) - closed. - 0015481: [custom fields] Custom fields values are not sorted in the main filter (dregad) - closed. - 0015528: [printing] Custom fields user has no access to should not be displayed on print pages (dregad) - closed. - 0015538: [bugtracker] Issues list is not displayed when $g_limit_reporters is ON (dregad) - closed. - 0015540: [documentation] Wrong example code for custom status translation (atrol) - closed. - 0015558: [bugtracker] url_get() does not fall back to other methods when no data is retrieved (dregad) - closed. - 0015575: [documentation] Turning on $g_show_queries_list causes Mantis to crash with an error (dregad) - closed. - 0015659: [localization] Appears @70@ and @80@ in the list of resolutions in the "view Issues" page when mantis is in catalan. (dregad) - closed. - 0015691: [administration] Config report: retrieval of saved project filter from cookie does not work (dregad) - closed. - 0015453: [security] CVE-2013-1930: Close button is shown on webpage despite 'close' is not a valid status by workflow (dregad) - closed. - 0015511: [security] CVE-2013-1931: XSS vulnerability when deleting a version (atrol) - closed. - 0015698: [bugtracker] 'extract() expects parameter 1 to be array, boolean given' in '/srv/www/bugs/account_prof_edit_page.php' line 48 (dregad) - closed. - 0015704: [documentation] Wrong description of writing custom_functions (atrol) - closed. - 0015744: [bugtracker] Reminder bugnote with list of recipients not added if no text provided (dregad) - closed. - 0015451: [api soap] Incorrect invocations of SoapObjectsFactory::newSoapFault (rombert) - closed. - 0015517: [api soap] mc_project_get_versions() result can't be parsed by C# (dregad) - closed. - 0015522: [api soap] mc_project_get_issues does not report due_date (dregad) - closed.