Year: 2020

MantisBT 2.24.4 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.24.4

Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues’ contents. All installations are strongly advised to upgrade as soon as possible.

This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.

  • 0020690: [bugtracker] inconsistent UI for view bugnote revision (dregad)
  • 0026794: [security] User Account – Takeover (dregad)
  • 0027363: [security] Fixed in version can be changed to a version that doesn’t exist (dregad)
  • 0027350: [security] When updating an issue, a Viewer user can be set as Reporter (dregad)
  • 0027357: [security] Attacker can leak private information via different functionality (dregad)
  • 0027728: [security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments (dregad)
  • 0027727: [security] CVE-2020-29605: Disclosure of private issue summary (dregad)
  • 0027726: [security] CVE-2020-29603: Disclosure of private project name (dregad)
  • 0027361: [security] Private category can be access/used by a non member of a private project (IDOR) (dregad)
  • 0027370: [security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary (dregad)
  • 0027495: [security] CVE-2020-28413: SQL injection in the parameter “access” on the mc_project_get_users function throught the API SOAP. (dregad) 0027704: [javascript] Javascript error in View Issues page (dregad)
  • 0027779: [security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls (dregad)
  • 0027464: [printing] print_manage_user_sort_link Function Parameter Required after Optional (atrol)
  • 0027465: [code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8 (atrol)
  • 0027799: [bugtracker] Adapt Error handler to PHP 8 (dregad)
  • 0027806: [bugtracker] Impossible to edit issues with PHP8 (dregad)
  • 0027444: [security] Printing unsanitized user input in install.php (atrol)

Many thanks to randomdhiraj, ethicalhcop and d3vpoo1, for identifying and responsibly reporting these security issues.

Go ahead and download the release from our website.

MantisBT 2.24.3 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.24.3

Security release for 2.24.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0027039: [security] CVE-2020-25781: Access to private bug note attachments (dregad)
  • 0027268: [security] Admin can get issues assigned to users not allowed to handle them (dregad)
  • 0027275: [security] CVE-2020-25288: HTML Injection on bug_update_page.php (dregad)
  • 0027276: [security] Send reminder to viewer (dregad)
  • 0027283: [security] Admin can set viewer as a tag creator (dregad)
  • 0027284: [plug-ins] Priority can override to any positive integer (dregad)
  • 0027299: [code cleanup] Remove code duplication in File API (dregad)
  • 0027303: [code cleanup] When processing categories, it is not necessary to know the project id (dregad)
  • 0027304: [security] CVE-2020-25830: HTML Injection in bug_actiongroup_page.php (dregad)

Many thanks to d3vpoo1 who identified most of the security issues fixed in this release.

Go ahead and download the release from our website.

MantisBT 2.24.2 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.24.2

Security release for 2.24.x series. All installations are strongly advised to upgrade as soon as possible.

  • 0027003: [security] Update PHPMailer from 6.1.4 to 6.1.6 (dregad)
  • 0027056: [security] CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php (dregad)

Go ahead and download the release from our website.

MantisBT 2.24.1 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.24.1

Note that MantisBT 2.23.0 release included a schema change. If upgrading from version older than 2.23.0, do not forget to upgrade the database as documented in the Admin Guide.

Maintenance and security fixes release for 2.24.x series.

  • 0026893: [security] APIs expose private attachments to users who has access to issue but not private notes (vboctor)
  • 0026781: [bugtracker] changed project order / sequence (dregad)
  • 0026805: [attachments] Attachments box is invisible when notes are private by default (vboctor)
  • 0026835: [attachments] Database Server error while adding file to project (atrol)
  • 0026838: [bugtracker] OS build field not filled in viewing mode (atrol)
  • 0026880: [administration] Impossible to reset user’s password (dregad)
  • 0026881: [documentation] Documentation for REST API /users/{id}/reset missing (vboctor)
  • 0026885: [api rest] Resetting password for protected user via REST API should fail (dregad)
  • 0026921: [bugtracker] View Issue page does not show “Product Build” (wrong key names in code) (atrol)

Go ahead and download the release from our website.

MantisBT 2.24.0 and 2.23.1 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!

MantisBT 2.24.0

Note that MantisBT 2.23.0 release included a schema change. If upgrading from version older than 2.23.0, do not forget to upgrade the database as documented in the Admin Guide.

  • 22142: [ui] on mantisbt.org Roadmap progress bar ‘data-percent’ class could stand out better (syncguru)
  • 26439: [ui] Issue list throws warning on every issue without bug notes. (dregad)
  • 26441: [api rest] Update GuzzleHttp from 6.4.1 to 6.5.2 (dregad)
  • 26473: [ui] Incorrect CSS rules get applied if a word in custom field name matches an existing CSS class (atrol)
  • 26475: [email] Update phpmailer/phpmailer from 6.1.3 to 6.1.4 (dregad)
  • 26567: [code cleanup] Code Cleanup (atrol)
  • 26555: [reports] Wrong number of displayed rows on summary page (atrol)
  • 26572: [code cleanup] Remove $g_log_destination ‘firebug’ option, as the project is dead since 2017 (dregad)
  • 26589: [documentation] Admin Guide: remove doc for long-deprecated $g_ldap_port config (dregad)
  • 26598: [db mssql] Update ADOdb to 5.20.16 (dregad)
  • 09534: [feature] Limit reporter’s access to their own issues (cproensa)
  • 11365: [plug-ins] New Event: EVENT_MENU_ISSUE_RELATIONSHIP (dregad)
  • 11381: [relationships] Dependency Graph crash on circular parent child relationships (dregad)
  • 17594: [reports] Display issue Summary inside relation graph nodes (dregad)
  • 21133: [rss] Access of non existent image in RSS feeds (dregad)
  • 24600: [filters] BugFilterQuery – issue? – trying to add join & where conditions (cproensa)
  • 26163: [relationships] Relationship Graph page UI lacks MantisBT 2.x layout (dregad)
  • 26164: [relationships] Relationship Graph page is missing legend (dregad)
  • 26165: [relationships] Relationship Graph – inconsistency between button label and title (dregad)
  • 26612: [plug-ins] Improve MantisColumn sort capability to allow sorting by more complex expressions (cproensa)
  • 26621: [filters] Wrong filtering by none-relationship (cproensa)
  • 26623: [ui] Generate token with empty name and APPLICATION ERROR #11 (dregad)
  • 26632: [api rest] Support user password reset via REST API (community)
  • 26636: [installation] Apostrophe in custom_field_string table causes upgrade from < 1.2.0 to fail (dregad)
  • 09155: [time tracking] Cell coloring for due date indicates “overdue” when not overdue yet. (dregad)
  • 09155: [time tracking] Cell coloring for due date indicates “overdue” when not overdue yet. (dregad)
  • 10831: [administration] how can I allow user to view only the issue that assigned to them (cproensa)
  • 15466: [bugtracker] Reporter can’t see an issue they have been made a monitor of (cproensa)
  • 16869: [bugtracker] Change of due date background color (dregad)
  • 21201: [localization] lang_get_defaulted does not search for fallback language (dregad)
  • 23570: [bugtracker] Implement limit_reporters as a threshold (cproensa)
  • 25097: [authentication] login username is not trimmed (dregad)
  • 25115: [roadmap] User can’t see in roadmap a private issue that they reported (cproensa)
  • 26438: [bugtracker] Allow multiple, customizable due date levels (dregad)
  • 09155: [time tracking] Cell coloring for due date indicates “overdue” when not overdue yet. (dregad)
  • 16869: [bugtracker] Change of due date background color (dregad)
  • 26568: [installation] Use appropriate statement to update DB schema when generating SQL (dregad)
  • 26542: [api rest] Passing out of range custom field id causes multiple PHP warnings / incorrect response (dregad)
  • 26540: [api rest] Passing unsanitized data to type hinted function causes program crash (dregad)
  • 26541: [api rest] Passing invalid id to rest api custom field update causes program crash (dregad)
  • 26662: [installation] Final statement to set database version not logged in SQL script (dregad)
  • 26661: [installation] Add informational comments to SQL script generated by installer (dregad)
  • 26663: [installation] improve installer messages when generating SQL script (dregad)
  • 26664: [installation] Allow admin to reset table pre/suffix to their default values (dregad)
  • 26686: [bugtracker] Make category on bug_report_page a required field when $g_allow_no_category = OFF; (dregad)
  • 26687: [bugtracker] Required fields when reporting an issue, should also be when updating it (dregad)
  • 26690: [bugtracker] Mass update does not allow setting an empty category (dregad)
  • 26712: [ui] Provide a way to ‘show content’ for all complex items on Manage Configuration Report page (dregad)
  • 26747: [plug-ins] No equivalent to lang_get_defaulted() in plugin_api() (dregad)
  • 26765: [bugtracker] Inheritance of sub project not read correctly from database (dregad)
  • 26778: [customization] Retire bug_change_status_page_fields config option (vboctor)

MantisBT 2.23.1

Maintenance release for 2.23.x series.

  • 26482: [ui] ‘View Issue’ page fails to populate some fields (ex ‘ID’) for some projects (but not others) (atrol)
  • 26470: [localization] Issue values on bug view page are not localized. (atrol)
  • 26596: [installation] Wrong defaults for db (plugin) table prefix/suffix (dregad)
  • 26610: [ui] Option history_default_visible does not work (atrol)
  • 26622: [ldap] LDAP API does not cache realname information (dregad)
  • 26600: [performance] Performance loss after update from 2.20.0 to 2.23.0 (dregad)
  • 26570: [bugtracker] Assigning bug from group action creates empty bugnote (atrol)
  • 26575: [plug-ins] When calling bug_assign function it auto creates empty note (atrol)
  • 26629: [ldap] LDAP API throws PHP warning when ldap_connect() fails (dregad)
  • 26757: [bugtracker] Bugnote from reminder is always public – ignoring private checkbox state (community)

Go ahead and download the release from our website.