MantisBT 2.0.0-beta.1 Released

MantisBT 2.0.0 release focuses on improvements to the UI compared to 1.3.x release. As of this release, the db schema is the same between 1.3.x and 2.0.0-beta.1, enabling users to easily try 2.0.0-beta.1 and provide feedback.

Modern UI

  • Bootstrap 3.3.6 is used as the basis for the new modern UI (#17919)
  • FontAwesome 4.6.3 is now used for icons instead of images (#17919)
  • New UI Is based on a theme contributed by Mohsen (#17919).
  • Mobile friendly responsive UI (#17919)
  • Drag and Drop files to attach them to issues (#19590)
  • Modern Graphs using Chartjs for better looking, more interactive, and easier to setup graphs. (#12825)
  • Most of the plugins were updated to be compatible with the Modern UI. Look for a branch named modern-ui (or check on the plugin repositories.

Modern My View Page

Modern View Issues Page Modern View Issue Page

Deprecated Features

  • Custom Functions in favor of Plugins
  • News feature – already deprecated
  • Time tracking – already deprecated
  • Project Docs – already deprecated
  • Sponsorships – already deprecated

Removed Features

  • DB2 Support

Checkout the new release on mantisbt website and report any issues you may find via our official bugtracker.

MantisBT 1.3.0 (stable) Released

After several 1.3.x beta and release candidates, this release marks the first stable 1.3.x release. The 1.3.0 stable release has more than 500 fixes and improvements compared to 1.2.x releases (see changelogs for 1.3.0, 1.3.0-rc.21.3.0-rc.1, 1.3.0-beta.3, 1.3.0-beta.2, 1.3.0-beta.1). It is recommended that all MantisBT administrators upgrade to this release.

Following are some of the highlights of 1.3.0 release:

  • @ mentions support – mention other users in issue summary, description and notes and they will get an email alerting them to the fact that they were mentioned with the appropriate context.
  • Support for avatar plugins – We still ship Gravatar out of the box, but it is now very easy to implement other avatar providers that can be based on file system or LDAP.
  • Support for user lifecycle plugin events – Added plugin events the handle and extend user lifecycle events (see extensibility section below)
  • Allow administrators to impersonate users – Administrators can now impersonate a user account to verify that it’s access level is as expected or to troubleshoot issues that their users are having with Mantis.
  • Support for notes and tags as columns to configure for view issues, print issues, csv/excel export
  • Support for login using email address – Users can login using either usernames or email addresses.
  • Enforcing email uniqueness – User emails must be unique or empty for service accounts.
  • Enable configuration for email notifications for category owner – The same way it is possible to configure whether reporter of an issue should receive notifications, the same can now happen for category owners.
  • Re-implemented parsing of complex configuration types for Configuration Report – Re-implemented parsing logic in a robust way leveraging standard PHP methods designed to parse PHP expressions.
  • Tagging directly from report issue page – You no longer have to report an issue, then go and tag it, this can now be done in a single step.
  • Timeline feature – The My View (dashboard) page now has the most recent events for the selected project to give users a quick overview of what their team are up to.
  • API Tokens – Users can now generate tokens to use when connecting via SOAP API rather than having to use their username and password
  • Anti-spam – Ability to limit the number of issues or notes a user who signed up can submit.
  • Memo custom fields – This was a popular request, it is now supported.
  • jQuery and jQueryUI are now included in core – It is no longer needed to install a plugin to get jQuery. Plugins can just assume it is there.
  • PHP version compatibility up to PHP 5.6 and PHP 7.
  • Better generated HTML, relying on CSS instead of inline styles and reducing use of tables for layout
  • HTML5 doctype – Lots of improvements to generated markup.
  • Out-of-the-box support for Oracle (oci8)
  • Greatly enhanced support for PostgreSQL
  • Improved installation and admin utilities (system check, tools)
  • Mechanism to prevent concurrent updates to the same issue
  • Detailed filters hidden by default
  • Improved XmlImportExport core plugin
  • Bigger e-mail and realname fields
  • Improved documentation, migrated to Publican
  • Improved email notifications when an issue is unassigned or re-assigned
  • Support attaching files while adding a note + attaching multiple files with same name
  • Added new log level LOG_EMAIL_VERBOSE.
  • 500+ fixes and improvements


  • CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php – #20956
  • Cannot change password in second enter to verification page – #6009
  • bugnote actions in view bug page should send data as POST – #20141
  • CVE-2014-9759: SOAP API can be used to disclose confidential settings – #20277
  • CVE-2014-9572: Improper Access Control in install.php – #19273
  • CVE-2014-9571: XSS in install.php – #19274
  • CVE-2015-1042: URL redirection issue – #19275
  • CVE-2014-9573: SQL Injection in manage_user_page.php – #19277
  • PHP remote code execution in install.php – #12908
  • CVE-2014-9701: XSS vulnerability in permalink_page.php – #19504
  • Registrations by bots via captcha exploit – #10028
  • Support Content-Security-Policy (CSP) per W3C specification – #14679
  • install.php: do not send the value of crypto_master_salt over http – #17382
  • Redirect user to change password if logged in with default admin password – #16477
  • plugins directory must be secured/fixed – #14538
  • Provide additional random number generators – #17381
  • IIS: add web.config to deny access to config folder – #17380
  • allow_reporter_reopen lets reporter make any update, not just reopen – #11804
  • Add support for Strict-Transport-Security header – #12881
  • Improve random number generation with openssl_random_pseudo_bytes – #10730
  • Do not allow to send a reminder on a private issue to users under threshold – #11981
  • Remove input side XSS validation of user real names – #12368
  • When user reports an issue, the unpermitted project can be selected – #16024
  • Remove all inline JavaScript from MantisBT (use external scripts instead) – #11826


Added the following events (see manual for details):


Deprecated Features

  • Custom Functions in favor of Plugins
  • DB2 support – removed in 2.0.x
  • News feature – already deprecated
  • Time tracking – already deprecated
  • Project Docs – already deprecated
  • Sponsorships – already deprecated

Removed Features

  • Built-in source code integration support
  • FTP for attachments
  • Removed nusoap in favor of native php soap extension
  • Removed feature extended project browser (#12245)