mantisbt - Change Log

0027361: [security] Private category can be access/used by a non member of a private project (IDOR) (dregad) 0027357: [security] Attacker can leak private information via different functionality (dregad)       0027728: [security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments (dregad)       0027726: [security] CVE-2020-29603: Disclosure of private project name (dregad)       0027727: [security] CVE-2020-29605: Disclosure of private issue summary (dregad) 0027779: [security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls (dregad) 0026794: [security] User Account - Takeover (dregad) 0027363: [security] Fixed in version can be changed to a version that doesn't exist (dregad) 0027350: [security] When updating an issue, a Viewer user can be set as Reporter (dregad) 0027370: [security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary (dregad) 0027495: [security] CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP. (dregad) 0027806: [bugtracker] Impossible to edit issues with PHP8 (dregad) 0020690: [bugtracker] inconsistent UI for view bugnote revision (dregad) 0027799: [bugtracker] Adapt Error handler to PHP 8 (dregad) 0027704: [javascript] Javascript error in View Issues page (dregad) 0027465: [code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8 (atrol) 0027464: [printing] print_manage_user_sort_link Function Parameter Required after Optional (atrol) 0027444: [security] Printing unsanitized user input in install.php (atrol)