MantisBT 2.25.5 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.5

Security and maintenance release fixing vulnerabilities with SVG files attachments (CVE-2022-33910), which are now disabled by default; instances with a custom $g_disallowed_files should add svg to the list. Support for PHP 5.6 has been restored, fixing the regression introduced in 2.25.4.

  • 0029135: [security] CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection (dregad)
  • 0030541: [documentation] Impossibility of deleting attachment with form security validation turned on (dregad)
  • 0030193: [bugtracker] PHP 5.6 support broken (dregad)
  • 0030204: [filters] Create Permalink – special characters handling (dregad)
  • 0030533: [security] Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote (community)
  • 0030384: [security] CVE-2022-33910: Stored XSS via SVG file upload (dregad)
  • 0030416: [security] Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8 (dregad)