MantisBT 2.24.3 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.24.3

Security release for 2.24.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0027039: [security] CVE-2020-25781: Access to private bug note attachments (dregad)
  • 0027268: [security] Admin can get issues assigned to users not allowed to handle them (dregad)
  • 0027275: [security] CVE-2020-25288: HTML Injection on bug_update_page.php (dregad)
  • 0027276: [security] Send reminder to viewer (dregad)
  • 0027283: [security] Admin can set viewer as a tag creator (dregad)
  • 0027284: [plug-ins] Priority can override to any positive integer (dregad)
  • 0027299: [code cleanup] Remove code duplication in File API (dregad)
  • 0027303: [code cleanup] When processing categories, it is not necessary to know the project id (dregad)
  • 0027304: [security] CVE-2020-25830: HTML Injection in bug_actiongroup_page.php (dregad)

Many thanks to d3vpoo1 who identified most of the security issues fixed in this release.

Go ahead and download the release from our website.

MantisBT 2.24.2 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.24.2

Security release for 2.24.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0027003: [security] Update PHPMailer from 6.1.4 to 6.1.6 (dregad)
  • 0027056: [security] CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php (dregad)

Go ahead and download the release from our website.

MantisBT 2.22.1 and 1.3.20 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.22.1

Security release for 2.22.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0026091: [security] CVE-2019-15715: [Admin Required – Post Authentication] Command Execution / Injection Vulnerability (atrol)
  • 0026110: [administration] [Show content] for Complex Configuration option doesn’t work when mod_rewrite is disabled (dregad)
  • 0026160: [security] Update bundled Bootstrap to 3.4.1 (CVE-2019-8331) (dregad)
  • 0026168: [security] Enable integrity hashes for CSS ressources from CDNs (dregad)

MantisBT 1.3.20

Security release for 1.3.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0026162: [security] CVE-2019-15715: Command Execution / Injection Vulnerability (dregad)

Go ahead and download the release from our website.

MantisBT 2.21.2 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.21.2

Security release for 2.21.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0025995: [security] CVE-2019-15074: Stored XSS Vulnerability in Timeline (dregad)

Go ahead and download the release from our website.

MantisBT 2.21.1 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.21.1

Maintenance release for 2.21.x series.

  • 0025722: [administration] Wrong access_level settings when updating rights in the project admin page (cproensa)
  • 0025734: [administration] LOGFILE_NOT_WRITABLE error triggered if file does not exist (dregad)
  • 0025742: [other] Summary “By Date (days)” gets wrong number (cproensa)
  • 0025763: [attachments] File upload timeout (atrol)
  • 0025781: [reports] Summary statistics db error message (cproensa)
  • 0025783: [administration] Button label truncated on manage_config_workflow_page (dregad)

Go ahead and download the release from our website.