MantisBT 1.2.15 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.
The following security issues were resolved:
- Any malicious user could use the view issues page (search.php) to execute a filter that could bring down the site by overloading the database server (CVE-2013-1883). Affects MantisBT 1.2.12 and later. Refer to issue #15573 for detailed information.
- A cross site scripting (XSS) vulnerability allowed execution of arbitrary JavaScript code when deleting a version. Affects MantisBT 1.2.14 and later. Refer to issue #15511 for detailed information.
- In some cases, the ‘Close’ button would be available to unauthorized users, allowing them to close issues at will, bypassing the workflow settings. Affects MantisBT 1.2.12 and later. Refer to issue #15453 for detailed information.
This release also includes several bug fixes and enhancements to the tracker and the SOAP api, as well as updated translations in many languages.
A full changelog for 1.2.15 can be found at here. Go ahead and download it now.
Checkout Hosted MantisBT to be up and running in minutes. For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.