{"id":244,"date":"2013-01-30T05:32:25","date_gmt":"2013-01-30T05:32:25","guid":{"rendered":"http:\/\/www.mantisbt.org\/blog\/?p=244"},"modified":"2015-01-16T09:36:53","modified_gmt":"2015-01-16T14:36:53","slug":"244","status":"publish","type":"post","link":"https:\/\/mantisbt.org\/blog\/archives\/mantisbt\/244","title":{"rendered":"MantisBT 1.2.14 Released"},"content":{"rendered":"<p>MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All\u00a0installations that are currently running any 1.2.x version are strongly advised\u00a0to upgrade to this release.<!--more--><\/p>\n<p>The following release notes are relative to 1.2.12 (rather than 1.2.13).<\/p>\n<p>Four cross site scripting (XSS) vulnerability issues were discovered and\u00a0resolved:<\/p>\n<ul>\n<li><span style=\"font-size: 16px;\">A malicious person could trick a target user&#8217;s browser into executing\u00a0arbitrary JavaScript code (CVE-2013-0197). This vulnerability is critical,\u00a0due to the affected page (search.php) being usable anonymously on public-facing installations (i.e. without the need for a user login). \u00a0Affects MantisBT 1.2.12 only (earlier versions are not impacted). \u00a0Refer to issue <a href=\"http:\/\/www.mantisbt.org\/bugs\/view.php?id=15373\" target=\"_blank\">#15373<\/a> for detailed information.<\/span><\/li>\n<li><span style=\"font-size: 16px;\">A user holding manager\/administrator permissions could create a category or project name containing JavaScript code; from that point on, visitors to (a) the Summary page (summary.php) as well as (b) the Configuration Report page (adm_config_report.php), are exposed to having the JavaScript execute within their browser environment. The severity of this issue is mitigated by the need to have a privileged account to modify category and project names. Issue (a) affects MantisBT version 1.2.12 and above, while (b) is on 1.2.13 only; earlier releases are not impacted. \u00a0Refer to issues <a href=\"http:\/\/www.mantisbt.org\/bugs\/view.php?id=15384\" target=\"_blank\">#15384<\/a> (a) and <a href=\"http:\/\/www.mantisbt.org\/bugs\/view.php?id=15415\" target=\"_blank\">#15415<\/a> (b) for detailed information.<\/span><\/li>\n<li><span style=\"font-size: 16px;\">An administrator could enter a configuration option containing javascript code, which would then be executed when displaying the Configuration Report page (adm_config_report.php). The severity of this issue is mitigated by the need to have a privileged account. Affects all MantisBT 1.2.x versions. \u00a0Refer to issue <a href=\"http:\/\/www.mantisbt.org\/bugs\/view.php?id=15416\" target=\"_blank\">#15416<\/a> for detailed information.<\/span><\/li>\n<\/ul>\n<p>A workflow-related security issue was also fixed:<\/p>\n<ul>\n<li><span style=\"font-size: 16px;\">A user with &#8220;Reporter&#8221; permissions can modify the workflow status of any issue to &#8220;New&#8221; even if they do not have the necessary privileges to make this change. \u00a0Refer to issue <\/span><a style=\"font-size: 16px;\" href=\"http:\/\/www.mantisbt.org\/bugs\/view.php?id=15258\" target=\"_blank\">#15258<\/a><span style=\"font-size: 16px;\"> for detailed information.<\/span><\/li>\n<\/ul>\n<p>In addition to the corrections for the above-mentioned security issues, this release also includes several bug fixes and enhancements:<\/p>\n<ul>\n<li><span style=\"font-size: 16px;\">improved Manage Configuration page (better performance, ability to filter and edit config options)<\/span><\/li>\n<li><span style=\"font-size: 16px;\">support for the built-in SOAP extension in addition to nusoap<\/span><\/li>\n<li><span style=\"font-size: 16px;\">updated translations in many languages<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 16px;\">A full changelog for 1.2.14 can be found at\u00a0<\/span><a style=\"font-size: 16px;\" title=\"ChangeLog for MantisBT v1.2.13\" href=\"http:\/\/www.mantisbt.org\/bugs\/changelog_page.php?version_id=180\" target=\"_blank\">here<\/a><span style=\"font-size: 16px;\">. \u00a0Go ahead and\u00a0<\/span><a style=\"font-size: 16px;\" title=\"Download MantisBT\" href=\"http:\/\/www.mantisbt.org\/download.php\" target=\"_blank\">download<\/a><span style=\"font-size: 16px;\">\u00a0it now.<\/span><\/p>\n<p>Checkout\u00a0<a title=\"Hosted MantisBT\" href=\"http:\/\/www.mantisbt.org\/hosting.php\" target=\"_blank\">Hosted MantisBT<\/a>\u00a0to be up and running in minutes. \u00a0For optimized access to MantisBT from iPhone, Android and Windows Phone checkout\u00a0<a title=\"MantisTouch\" href=\"http:\/\/www.mantistouch.org\" target=\"_blank\">MantisTouch<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All\u00a0installations that are currently running any 1.2.x version are strongly advised\u00a0to upgrade to this release.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-244","post","type-post","status-publish","format-standard","hentry","category-mantisbt"],"_links":{"self":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/comments?post=244"}],"version-history":[{"count":5,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/244\/revisions"}],"predecessor-version":[{"id":332,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/244\/revisions\/332"}],"wp:attachment":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/media?parent=244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/categories?post=244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/tags?post=244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}