Security release for 2.24.x series. All installations are strongly advised to upgrade as soon as possible.
- 0027039: [security] CVE-2020-25781: Access to private bug note attachments (dregad)
- 0027268: [security] Admin can get issues assigned to users not allowed to handle them (dregad)
- 0027275: [security] CVE-2020-25288: HTML Injection on bug_update_page.php (dregad)
- 0027276: [security] Send reminder to viewer (dregad)
- 0027283: [security] Admin can set viewer as a tag creator (dregad)
- 0027284: [plug-ins] Priority can override to any positive integer (dregad)
- 0027299: [code cleanup] Remove code duplication in File API (dregad)
- 0027303: [code cleanup] When processing categories, it is not necessary to know the project id (dregad)
- 0027304: [security] CVE-2020-25830: HTML Injection in bug_actiongroup_page.php (dregad)
Many thanks to d3vpoo1 who identified most of the security issues fixed in this release.
Go ahead and download the release from our website.