Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues' contents. All installations are strongly advised to upgrade as soon as possible.
Many thanks to randomdhiraj, ethicalhcop and d3vpoo1 (https://gitlab.com/jrckmcsb), for identifying and responsibly reporting these security issues.
This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.
0027357:
[security] Attacker can leak private information via different functionality (
dregad)
0027728:
[security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments (
dregad)
0027727:
[security] CVE-2020-29605: Disclosure of private issue summary (
dregad)
0027726:
[security] CVE-2020-29603: Disclosure of private project name (
dregad)
0027361:
[security] Private category can be access/used by a non member of a private project (IDOR) (
dregad)
0027779:
[security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls (
dregad)
0026794:
[security] User Account - Takeover (
dregad)
0027363:
[security] Fixed in version can be changed to a version that doesn't exist (
dregad)
0027350:
[security] When updating an issue, a Viewer user can be set as Reporter (
dregad)
0027370:
[security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary (
dregad)
0027495:
[security] CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP. (
dregad)
0020690:
[bugtracker] inconsistent UI for view bugnote revision (
dregad)
0027444:
[security] Printing unsanitized user input in install.php (
atrol)
0027464:
[printing] print_manage_user_sort_link Function Parameter Required after Optional (
atrol)
0027465:
[code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8 (
atrol)
0027704:
[javascript] Javascript error in View Issues page (
dregad)
0027799:
[bugtracker] Adapt Error handler to PHP 8 (
dregad)
0027806:
[bugtracker] Impossible to edit issues with PHP8 (
dregad)