MantisBT 2.26.2 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.26.2

Security and maintenance release addressing several vulnerabilities (CVE-2024-34077, CVE-2024-34080 and CVE-2024-34081; refer to the corresponding Issues below for details).

It also resolves a few PHP 8.x compatibility issues, as well as a few other bugs.

All installations are strongly advised to upgrade as soon as possible.

  •  0033906[bugtracker] Failed opening core.php in timeline_inc.php on PHP 8.2 / IIS (dregad)
  •  0034008[documentation] MantisGraph: document usage of EVENT_MANTISGRAPH_SUBMENU (dregad)
  •  0034006[code cleanup] MantisGraph: fix deprecated warnings in javascript (dregad)
  •  0034393[html] Incorrect handling of HTML hexadecimal character references &#xNNN; (dregad)
  •  0034439[code cleanup] Deprecated warning when updating Issue with null checkbox Custom Field (dregad)
  •  0034441[excel] Excel error when opening exported issues with custom field with special characters (dregad)
  •  0034435[bugtracker] Issue note links don’t reflect if issue is resolved (vboctor)
  •  0034434[security] CVE-2024-34080: Don’t hyperlink references to notes whose issues are not accessible to user (vboctor)
  •  0034433[security] CVE-2024-34077: Account Takeover in Password Reset and Account Registration Feature (dregad)
  •  0034432[security] CVE-2024-34081: Unsanitised custom field names printed (dregad)
  •  0034417[security] Update corejs-typeahead.js library to 1.3.4 (dregad)
  •  0034410[api rest] REST API error reports incorrect field “version” when updating fixed in / target version with invalid value (dregad)
  •  0034399[other] Internal server error on view_user_page (atrol)
  •  0012956[bugtracker] Target Version does not respect GET or POST value when reporting issue (dregad)
  •  0034404[bugtracker] Proceed button is shown twice when redirecting with pending errors (dregad)
  •  0034359[api rest] REST API: “String not found” warning when adding note with invalid view_state (dregad)
  •  0034348[api rest] Adding issue note with REST API returns HTTP 500 when given view_state is invalid (dregad)
  •  0034018[filters] Filter “assigned to” and “monitor by” shows <br /> between the users when selecting multiple (advanced filtering) (dregad)
  •  0034106[code cleanup] Deprecated creation of dynamic properties in BugData class (dregad)

MantisBT 2.25.6 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.6

Security and maintenance release addressing an information disclosure issue (CVE-2023-22476), with thanks to d3vpoo1 for identifying and responsibly reporting it, as well as a vulnerability in bundled moment.js library (CVE-2022-31129). This release also resolves over 20 issues including several PHP 8.x compatibility fixes.

All installations are strongly advised to upgrade as soon as possible.

  •  0031086[security] CVE-2023-22476: Private issue summary disclosure (dregad)
  •  0024720[ldap] Editing user with use_ldap_email = ON empties email address (dregad)
  •  0031827[reports] Graphviz logs syntax error in line xx near ‘;’ (atrol)
  •  0031712[code cleanup] PHP 8.1 deprecated warnings (dregad)
  •  0031159[tagging] Undefined constants TAG_NOT_ATTACHED + TAG_ALREADY_ATTACHED in tag_api.php (dregad)
  •  0030922[bugtracker] Browser extensions may trigger automatic bug monitoring (community)
  •  0030918[markdown] URLs should only be converted to links when process_url is ON (dregad)
  •  0030835[ui] unreachable submit button (Update Information) on issue update when using tab key (dregad)
  •  0030841[api rest] Update Slim Framework to 3.12.4 (dregad)
  •  0030794[signup] Captcha image not showing on PHP 8.1 (dregad)
  •  0030777[upgrade] Scalar typehint is not supported in PHP 5.x (dregad)
  •  0030793[bugtracker] config_flush_cache() doesn’t clean the eval cache for individual options (dregad)
  •  0030772[security] Update moment.js to 2.29.4 (dregad)
  •  0030791[security] Allow adding relation type noopener/noreferrer to outgoing links (dregad)
  •  0030771[ldap] Poor error handling when $g_login_method = LDAP and PHP extension missing (dregad)
  •  0030814[signup] Captcha audio not working (dregad)
  •  0030429[other] Upcoming incompatibility with PHP 8.2, “Deprecate ${} string interpolation” RFC (dregad)
  •  0031876[plug-ins] XML import: Undefined property warning when importing bug notes (dregad)
  •  0030790[ldap] Deprecated conversion of false to array in ldap_api.php with PHP 8.1 (dregad)
  •  0032037[bugtracker] Remove “sponsorship_total” from columns default (dregad)
  •  0031943[installation] Creation of dynamic properies is deprecated in PHP 8.2 (dregad)
  •  0022238[documentation] Missing columns on $g_view_issues_page_columns documentation (dregad)
  •  0031829[ui] Status color boxes shown in black on bug_relationship_graph.php (dregad)
  •  0031836[bugtracker] Date conversion fails when editing a project version using a non-US date format (dregad)
  •  0031889[bugtracker] Product Version / Target Version – Date missing (dregad)

MantisBT 2.25.5 released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.5

Security and maintenance release fixing vulnerabilities with SVG files attachments (CVE-2022-33910), which are now disabled by default; instances with a custom $g_disallowed_files should add svg to the list. Support for PHP 5.6 has been restored, fixing the regression introduced in 2.25.4.

  • 0029135: [security] CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection (dregad)
  • 0030541: [documentation] Impossibility of deleting attachment with form security validation turned on (dregad)
  • 0030193: [bugtracker] PHP 5.6 support broken (dregad)
  • 0030204: [filters] Create Permalink – special characters handling (dregad)
  • 0030533: [security] Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote (community)
  • 0030384: [security] CVE-2022-33910: Stored XSS via SVG file upload (dregad)
  • 0030416: [security] Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8 (dregad)

MantisBT 2.25.3 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.3

This security and maintenance release fixes vulnerabilities in CSV Export (CVE-2021-43257) and Plugins management pages (CVE-2022-26144), as well as in bundled libraries guzzlehttp/psr7 (CVE-2022-24775) and moment.js (CVE-2022-24785). It also addresses several PHP 8.1 compatibility issues.

There are 2 known issues with this release, which have been fixed in 2.25.4: accessing scripts in sub-directories with PHP 5.6 and a technical problem with CDNJS that prevents loading of the moment.js library when using CDN (as a workaround, set $g_cdn_enabled = OFF; in config_inc.php).

Continue reading “MantisBT 2.25.3 Released”

MantisBT 2.25.2 Released

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!

Go ahead and download the release from our website.

MantisBT 2.25.2

This security and maintenance release fixes vulnerabilities in Custom Fields management page (CVE-2021-33557) and in the PHPMailer library, as well as a PHP 8 compatibility issue.

  • 0028803: [custom fields] PHP 8: “Bad Request” error on custom field filters (dregad)
  • 0028821: [security] Update PHPMailer to 6.5.0 (dregad)
  • 0028552: [security] CVE-2021-33557: XSS in manage_custom_field_edit_page.php (dregad)