In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!
Go ahead and download the release from our website.
This security and maintenance release fixes vulnerabilities in CSV Export (CVE-2021-43257) and Plugins management pages (CVE-2022-26144), as well as in bundled libraries guzzlehttp/psr7 (CVE-2022-24775) and moment.js (CVE-2022-24785). It also addresses several PHP 8.1 compatibility issues.
There are 2 known issues with this release, which have been fixed in 2.25.4: accessing scripts in sub-directories with PHP 5.6 and a technical problem with CDNJS that prevents loading of the moment.js library when using CDN (as a workaround, set
$g_cdn_enabled = OFF; in config_inc.php).
- 0029848: [security] Update guzzlehttp/psr7 to 1.8.5 (dregad)
- 0029034: [api soap] SOAP call mc_project_get_id_from_name fails when there is no matching project in PHP 7.2 (community)
- 0029846: [bugtracker] Passing null to parameter of type XXX is deprecated (dregad)
- 0028927: [api rest] Slim Application Error when RestFault generated (community)
- 0029845: [bugtracker] Constant FILTER_SANITIZE_STRING is deprecated (dregad)
- 0029130: [security] CVE-2021-43257: CSV Injection with CSV Export Feature (dregad)
- 0029144: [attachments] Adding an attachment with a long filename causes “Data too long for column ‘filename'” application error (dregad)
- 0029181: [bugtracker] ‘format_issue_summary’ custom function not called from View Issue Details page (dregad)
- 0029416: [ui] Missing closing div tag causes incorrect page footer display (dregad)
- 0029462: [installation] Unable to install (dregad) 0029413: [custom fields] APPLICATION ERROR 1300 Custom field not found with case-sensitive database (dregad)
- 0029485: [security] Update ADOdb to 5.20.21 (dregad)
- 0029849: [security] Update moment.js to 2.29.2 (dregad)
- 0029688: [security] CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php (dregad)