Not Yet Released

Feature and maintenance release. Dropping support for PHP 7.3 and older.

  • 0034468: [code cleanup] Refactoring and cleaning up includes (dregad)
  • 0034464: [attachments] Improve display of file upload error messages (dropzone) (dregad)
  • 0034467: [ui] File attachment previews (drop zone) Remove button is not standard (dregad)
  • 0026797: [administration] Add failed_login_count to user information (atrol)
  • 0034463: [html] Wrong rendering of custom field names (atrol)
  • 0034459: [ui] Missing tooltip for bugnotes_count column (dregad)
  • 0034454: [other] Columns are offered in columns list without having access rights to them (atrol)
  • 0034455: [html] Wrong function used to format bug id (atrol)
  • 0034456: [performance] Enhance performance of bug note formatting (atrol)
  • 0010289: [documentation] Admin Guide "Page Descriptions" pages have CR/LF problems (dregad)
  • 0034415: [markdown] Update Parsedown library to 1.7.4 (dregad)
  • 0024810: [markdown] Markdown links/code always show HTML entities for Ampersand and Less-than sign (dregad)
  • 0022231: [markdown] Fix unit tests for markdown (dregad)
  • 0022315: [markdown] Markdown converts " to " within code blocks and inline code (dregad)
  • 0022320: [markdown] Don't expand issue ids into URLs within code blocks (dregad)
  • 0023738: [markdown] Mantis issue links displayed as raw HTML in code block (dregad)
  • 0022181: [markdown] Markdown different rendering between inline code (single backtick) and ``` blocks (community)
  • 0033098: [tools] Ugrade to PHPUnit 9.6 and adapt test suite (dregad)
  •        0032808: [installation] Increase minimum PHP requirement to 7.4 (dregad)
  • 0022485: [markdown] Increase spacing before ``` blocks (community)
  • 0034040: [markdown] Markdown processing code cleanup (part 2) (community)
  • 0024628: [markdown] Double quotes " and lesser than sign < are shown as HTML entity within Markdown code blocks (dregad)
  • 0034379: [code cleanup] Modernizing Tests (partially tests/Mantis) (dregad)
  • 0024241: [markdown] $g_html_valid_tags are not rendered if Markdown is enabled (dregad)
  • 0034139: [administration] Add OS information to SIte Information page (atrol)
  • 0034041: [reports] MantisGraph: last resolved issue not computed in Issue Trends graph (dregad)
  • 0034042: [performance] MantisGraph: inefficient calculation of data sets for Issue Trends graph (dregad)
  • 0033914: [code cleanup] Move timeline_inc.php from core to root directory (dregad)
  • 0031017: [bugtracker] Allow disabling Categories (dregad)
  • 0033350: [email] Update PHPMailer to 6.9.1 (dregad)
  • 0033842: [ui] Move buttons to Edit User section footer in Manage User Page (dregad)
  • 0027004: [administration] Switch back from manage_user_edit_page to view_user_page (dregad)
  • 0033521: [plug-ins] Project graph missing within MantisGraph (dregad)
  • 0033774: [code cleanup] Refactor mc_project_api.php (dregad)
  • 0033755: [tools] Enable Xdebug to facilitate PHPUnit tests troubleshooting (dregad)
  • 0033623: [tools] Travis: switch to focal distribution for builds (dregad)
  • 0033482: [bugtracker] Use config API to access allow_browser_cache (dregad)
  • 0033007: [code cleanup] Remove deprecated and incorrect usage of Pragma: no-cache header (dregad)
  • 0033421: [api rest] Update Guzzle to 7.8.1 (dregad)
  • 0033373: [other] Update HTML Purifier to 4.17.0 (dregad)
  • 0032808: [installation] Increase minimum PHP requirement to 7.4 (dregad)
40 issues View Issues
Not Yet Released

Hotfix release

  • 0025407: [api rest] Resetting version fields to empty is not possible (dregad)
  • 0034458: [ui] Better icon for "overdue" column (dregad)
  • 0034442: [html] Wrong display of some column titles on "View Issues" page (dregad)
  • 0034461: [relationships] Relationship Graphs show/hide flag is not persistent (dregad)
  • 0034462: [relationships] Truncated HTML entities shown in Relationship Graph nodes' Issue summary (dregad)
5 issues View Issues
Released 2024-05-11

Security and maintenance release addressing several vulnerabilities (CVE-2024-34077, CVE-2024-34080 and CVE-2024-34081; refer to the corresponding Issues for details). It also resolves a few PHP 8.x compatibility issues, as well as a few other bugs.
All installations are strongly advised to upgrade as soon as possible

  • 0033906: [bugtracker] Failed opening core.php in timeline_inc.php on PHP 8.2 / IIS (dregad)
  • 0034432: [security] CVE-2024-34081: Unsanitised custom field names printed (dregad)
  • 0034008: [documentation] MantisGraph: document usage of EVENT_MANTISGRAPH_SUBMENU (dregad)
  • 0034006: [code cleanup] MantisGraph: fix deprecated warnings in javascript (dregad)
  • 0034393: [html] Incorrect handling of HTML hexadecimal character references &#xNNN; (dregad)
  • 0034439: [code cleanup] Deprecated warning when updating Issue with null checkbox Custom Field (dregad)
  • 0034441: [excel] Excel error when opening exported issues with custom field with special characters (dregad)
  • 0034435: [bugtracker] Issue note links don't reflect if issue is resolved (vboctor)
  • 0034434: [security] CVE-2024-34080: Don't hyperlink references to notes whose issues are not accessible to user (vboctor)
  • 0034433: [security] CVE-2024-34077: Account Takeover in Password Reset and Account Registration Feature (dregad)
  • 0034417: [security] Update corejs-typeahead.js library to 1.3.4 (dregad)
  • 0034410: [api rest] REST API error reports incorrect field "version" when updating fixed in / target version with invalid value (dregad)
  • 0034399: [other] Internal server error on view_user_page (atrol)
  • 0012956: [bugtracker] Target Version does not respect GET or POST value when reporting issue (dregad)
  • 0034404: [bugtracker] Proceed button is shown twice when redirecting with pending errors (dregad)
  • 0034359: [api rest] REST API: "String not found" warning when adding note with invalid view_state (dregad)
  • 0034348: [api rest] Adding issue note with REST API returns HTTP 500 when given view_state is invalid (dregad)
  • 0034018: [filters] Filter "assigned to" and "monitor by" shows <br /> between the users when selecting multiple (advanced filtering) (dregad)
  • 0034106: [code cleanup] Deprecated creation of dynamic properties in BugData class (dregad)
19 issues View Issues
Released 2024-02-20

Security and maintenance release addressing a host header injection vulnerability (CVE-2024-23830). It also resolves several regression issues introduced in 2.26.0 release, and includes fixes for PHP 8.x compatibility as well as other issues.
All installations are strongly advised to upgrade as soon as possible

  • 0033480: [bugtracker] Blank page when redirecting with print_successful_redirect() (dregad)
  • 0033173: [api rest] No endpoints working on Windows server with PHP 8.1+ (dregad)
  • 0019381: [security] CVE-2024-23830: Host header attack vulnerability (dregad)
  • 0033418: [documentation] Document PHP ctype extension as required (dregad)
  • 0033481: [ui] Missing space between "*" and label for required fields on bug report page (dregad)
  • 0033426: [authentication] User not authenticated when following link from notification email (dregad)
  • 0033422: [api rest] Updating an issue with bugnote having empty text causes PHP errors (dregad)
  • 0033402: [api rest] Updating an Issue through the API sets all comments last edit timestamp (community)
  • 0033374: [other] Erratic behavior of RestProjectVersionTest::testProjectUpdateVersion PHPUnit test case (dregad)
  • 0033372: [db mssql] SQL error opening Manage Users page with MSSQL (dregad)
  • 0033248: [custom fields] APPLICATION ERROR 2800 Invalid form security token when trying to delete custom field (dregad)
  • 0033358: [custom fields] Custom fields are showing when resolving issues form despite not checking the option (atrol)
  • 0033171: [db schema] Update ADOdb to 5.22.7 (dregad)
  • 0033375: [tools] Enable PHP 8.3 on Travis CI builds (dregad)
  • 0033404: [authorization] Unable to grant user access to private issue by adding them as a monitoring user (atrol)
  • 0033519: [installation] MySQL Native Driver (mysqlnd) is required (dregad)
  • 0033588: [administration] Creating an Configuration Option with complex array fails when number is negative (dregad)
  • 0033631: [code cleanup] Uncaught exception in installer (dregad)
  • 0033634: [rss] Error in creating RSS when there are no issues to publish (dregad)
  • 0033651: [ui] Overflowing text issue on sidebar menu (dregad)
  • 0033756: [installation] Errors on browser console when installing (dregad)
  • 0033773: [installation] Install: reset buttons for table prefix/suffix not working at stage 2 (dregad)
22 issues View Issues
Released 2023-10-30

Feature and maintenance release. Dropping support for PHP 7.1 and older, the earliest supported PHP version is now 7.2.5. New configuration options were added to control access to Export and Print Report features (see 0022224). The default value for the latter was set to UPDATER for security reasons (see 0025492); to restore earlier behavior, administrators should set $g_print_reports_threshold = VIEWER;.

  • 0032249: [api rest] Get Project Issues returns html if user doesn't have access to project (vboctor)
  • 0028525: [administration] Using MySQL 8.0 gives warning in admin checks (atrol)
  • 0021264: [documentation] Option max_dropdown_length is not documented in Admin Guide (dregad)
  • 0030919: [markdown] Markdown processing code cleanup (dregad)
  • 0005189: [bugtracker] "Operation successful." message page slows down interaction (vboctor)
  • 0032245: [api rest] REST API for creating API tokens for users (vboctor)
  • 0029611: [bugtracker] Cookies "SameSite" attribute triggers warnings in Firefox console (dregad)
  • 0029454: [email] monitor receives no mails if he is not project member (atrol)
  • 0030415: [api rest] REST API: Add API to Get / Delete / Update versions (vboctor)
  • 0031666: [plug-ins] Hook for Custom field on bug_change_status_page (community)
  • 0029025: [email] Update PHPMailer to 6.8.0 (dregad)
  • 0032866: [api rest] Allow REST API to run on PHP 8.1 without squelching E_DEPRECATED notices (dregad)
  • 0032810: [tools] Ugrade to PHPUnit 8.5 and adapt test suite (dregad)
  •        0027840: [installation] Increase minimum PHP requirement to 7.2.5 (dregad)
  • 0028068: [db mssql] Impossible to insert child records with ADOdb 5.21.0 on mssql (dregad)
  • 0028069: [db postgresql] PHP notices leading to unusable system with ADOdb 5.21.0 on pgsql (dregad)
  • 0008664: [localization] Translation in Espéranto (dregad)
  • 0026148: [ui] Add hash to MantisBT CSS files to force browser cache update (vboctor)
  • 0028830: [code cleanup] Remove PHP < 5.4 compatibility code from user_get_all_accessible_projects() (dregad)
  • 0026998: [plug-ins] Event on access level modifications (dregad)
  • 0028905: [localization] String optimizations for English language (atrol)
  • 0028861: [localization] Incorrectly configured saraiki language (dregad)
  • 0028918: [upgrade] Improve handling of unserialize->json conversion during upgrade (dregad)
  • 0028120: [performance] Improve performance of user_pref_clear_invalid_project_default() (dregad)
  • 0028826: [ui] Removing vertical lines in tabular presentation to reduce clutter (community)
  • 0028119: [code cleanup] Calling user_get_field() with non-existing user throws incorrect warning (dregad)
  • 0028124: [ui] Visually align the 1st column's width in manage_user_proj_delete.php (dregad)
  • 0028114: [code cleanup] Invalid HTML in manage_user_edit_page.php (dregad)
  • 0028182: [ui] progress bar on the title bar (road map) (dregad)
  • 0028965: [attachments] Show issue attachments along with issue header information (vboctor)
  • 0028963: [administration] Do not buffer output for CLI scripts (dregad)
  • 0028533: [bugtracker] print_form_button() generates bad security token name for plugin action page (dregad)
  • 0028648: [localization] New Hindi Language Translation (dregad)
  • 0029027: [other] function gpc_set_cookie() ignores $p_httponly argument (community)
  • 0029026: [administration] Language checks should warn about languages not defined in config (dregad)
  • 0028668: [localization] Missing language codes in browser's auto map (dregad)
  • 0029269: [administration] Filter settings are not available on "Workflow Thresholds" page (atrol)
  • 0029230: [ldap] Can't set a custom field for ldap email (dregad)
  • 0029517: [authentication] Login redirection to plugin credentials page for non-existent user (community)
  • 0022109: [ui] Bugnotes links tilde ' ~' sign rendered as dash '-' in View page (dregad)
  •        0028964: [tools] New build script to download updated font files (dregad)
  • 0022224: [bugtracker] Access Restrictions to "Print Reports", "CSV Export", "Excel Export" in view all bugs page (dregad)
  • 0022371: [wiki] Support for WackoWiki (dregad)
  • 0025492: [security] Printing (print_all_bug_page) is a perf/security risk (dregad)
  • 0028902: [db mssql] APPLICATION ERROR 0000401 / Error MSSQL 4145 when view all bugs for 1000 projects or more (atrol)
  • 0028122: [administration] Improve handling of project assignment in manage_user_edit_page.php (dregad)
  • 0029616: [bugtracker] collapse_settings cookie is hardcoded (dregad)
  • 0029903: [relationships] Wrong html syntax
  • 0030192: [change log] Changelog/Roadmap items are printed without any structure (dregad)
  • 0030283: [html] Invalid 'literal' tag used in MantisCoreFormatting language strings (dregad)
  • 0024621: [html] Closing </div> tag missing in sign up page (dregad)
  • 0027114: [ui] Long unbreakable text does not auto wrap in bug details page (community)
  • 0029583: [email] Support for sending emails with CC and/or BCC (community)
  • 0029585: [email] Unable to set the In-Reply-To header to a domain different from the current one (community)
  • 0030447: [administration] Detect invalid HTML in language strings (dregad)
  • 0030428: [installation] admin/check.php script says upload_max_size but actually checks upload_max_filesize (atrol)
  • 0030278: [code cleanup] Removing unused CUSTOM_FIELD_TYPE_xxx constants (dregad)
  • 0030279: [ui] Text Custom Field columns should be left-aligned (dregad)
  • 0030551: [administration] Project Edit Page improvements (dregad)
  •        0030423: [ui] Regroup the 2 Subprojects sections on Manage Project Edit page (dregad)
  •        0027274: [ui] Move Delete buttons into main form (dregad)
  •        0028562: [administration] Undefined constant ERROR_VERSION_NO_ACTION and missing matching error message (dregad)
  •        0028557: [administration] Inconsistent use of hyperlink instead of button to edit Custom Fields in Edit Project page (dregad)
  •        0030435: [ui] Manage Project Edit page should redirect to relevant section after updates (dregad)
  •        0028606: [administration] Incorrect filtering of users on Manage Project / Accounts (dregad)
  •        0030490: [javascript] list.js library causing CSP violation in manage_proj_edit_page.php (dregad)
  •              0030494: [javascript] list.js navigation buttons scrolling to top of page (dregad)
  •        0030494: [javascript] list.js navigation buttons scrolling to top of page (dregad)
  •        0030550: [ui] Buttons' vertical size is slightly smaller than other form elements (dregad)
  • 0004993: [administration] Utility to copy attachments from File to Database (dregad)
  • 0032237: [api rest] REST API Create Project API requires administrator rather than create_project_threshold (vboctor)
  • 0017121: [api soap] phpunit FilterTest fail if there are more than 50 issues in the tracker (dregad)
  • 0022190: [markdown] Markdown markup should be done with CSS classes, not inline styles (community)
  • 0022791: [api rest] Support retrieving users with specified access level to a project (vboctor)
  • 0027128: [api rest] Can not get userid from another user with REST API (vboctor)
  • 0028528: [administration] Outdated PostgreSQL version information in Admin Checks (dregad)
  • 0029511: [installation] MSSQL blocking error during installation. (dregad)
  • 0030773: [performance] Only load dynamic CSS status_config.php when necessary (dregad)
  • 0030908: [api rest] Update postman collection (vboctor)
  • 0031993: [documentation] Using Docker to build Documentation (dregad)
  • 0031944: [ui] "pinning" an issue calls for not CSS code in view_all_inc.php (atrol)
  • 0031833: [bugtracker] Issues should have canonical meta tag (community)
  • 0032244: [performance] Issue view page timeouts or inefficient for issues with large number of notes and attachments (vboctor)
  • 0032246: [api rest] Deleting a user should revoke (delete) all their API tokens (vboctor)
  • 0032247: [api rest] REST API for deleting API token (vboctor)
  • 0032248: [api rest] Get Project REST API returns html if user doesn't have access (vboctor)
  • 0032258: [api rest] Add REST API for setting config options that are settable via database (vboctor)
  • 0032231: [code cleanup] Create ProjectAddCommand (vboctor)
  • 0032238: [code cleanup] Create ProjectUpdateCommand (vboctor)
  • 0032236: [api rest] REST API Create Project doesn't trigger EVENT_MANAGE_PROJECT_CREATE plugin event (vboctor)
  • 0032445: [api rest] REST API: Project Add API to return information about added version (vboctor)
  • 0032331: [api rest] Support selecting which fields to retrieve for an issue (vboctor)
  • 0032356: [api rest] REST API: Support Get User By ID (vboctor)
  • 0032357: [api rest] REST API: Support select for fields to return when getting user info (vboctor)
  • 0032382: [code cleanup] Duplicated code in email API (dregad)
  • 0032385: [bugtracker] Incorrect use of mb_strimwidth() to truncate old/new values in history API (dregad)
  • 0032466: [api rest] REST API: Create Project User (vboctor)
  • 0032469: [api rest] REST API: Support impersonation of users (vboctor)
  • 0032504: [documentation] Documentation: Hooking events declared by other plugins (dregad)
  • 0032704: [code cleanup] Remove deprecated function db_prepare_string() (dregad)
  • 0032714: [code cleanup] Remove function check_php_version() (atrol)
  • 0020647: [administration] Not able to update existing user accounts if $g_email_ensure_unique == ON (vboctor)
  • 0021657: [documentation] Development Guide - Chapter 4. Plugin System - Errors in text (dregad)
  • 0025956: [installation] Drop support for PHP 5.x (dregad)
  • 0027793: [documentation] Admin Guide lists incorrect/incomplete/obsolete required PHP extensions (dregad)
  • 0029882: [tools] Enable PHP 8.1 builds on Travis-CI (dregad)
  • 0030907: [api soap] SOAP API mc_project_get_users doesn't enforce access check (vboctor)
  • 0032232: [code cleanup] Create ProjectDeleteCommand (dregad)
  • 0032234: [api soap] SOAP API Create Project API requires administrator rather than create_project_threshold (vboctor)
  • 0032235: [api soap] SOAP API Create Project doesn't trigger EVENT_MANAGE_PROJECT_CREATE plugin event (vboctor)
  • 0032465: [api rest] REST API: User Update API (vboctor)
  •        0024757: [api rest] To move a user to disabled (vboctor)
  •        0027130: [api rest] change username via rest api (vboctor)
  •        0032464: [code cleanup] Implement UserUpdateCommand (vboctor)
  • 0032468: [api rest] REST API: Update Project User (vboctor)
  • 0032735: [code cleanup] Use range() function instead of string increment (dregad)
  • 0032804: [api rest] REST API unit test incorrectly failing with anonymous user (dregad)
  • 0032806: [documentation] Developers Guide PHPUnit section is out of date (dregad)
  • 0032811: [tagging] Wrong display of tag filter (atrol)
  • 0032814: [api soap] PHPUnit SOAP API tests trigger syntax error when extension is not loaded (dregad)
  • 0032815: [tools] Error when executing the complete PHPUnit test suite with AllTests.php (dregad)
  • 0032816: [tools] Use phpunit.xml to define Test Suites (dregad)
  • 0032828: [tools] TravisCI ' /usr/sbin/sendmail: not found' error after successful test execution (dregad)
  • 0032831: [code cleanup] Remove unnecessary check on Version Id (dregad)
  • 0032832: [code cleanup] Remove version_cache_row()'s 2nd parameter (dregad)
  • 0032835: [api rest] REST API errors when attempting to add or delete issue relationships (dregad)
  • 0032858: [api rest] Status codes returned by REST API delete operations are not consistent (dregad)
  • 0032864: [api rest] Missing PHPUnit tests for Projects REST API endpoints (dregad)
  • 0032901: [code cleanup] Unneeded PHP version checks (atrol)
  • 0028860: [localization] Incorrectly configured serbo-croatian (sh) language (dregad)
  • 0027383: [tools] Refactor and improve output of 'test_langs.php' admin script (dregad)
  • 0030812: [administration] "Copy Categories From" copies global categories (dregad)
  • 0032027: [bugtracker] PHP 8.2 support (dregad)
  •        0032734: [filters] Saving a filter triggers deprecated warning on PHP 8.2 (dregad)
  •        0032028: [db schema] Update ADOdb to 5.22.6 (dregad)
  •              0027840: [installation] Increase minimum PHP requirement to 7.2.5 (dregad)
  •              0033031: [db mysql] Problem in the download process (عندي مشكله في عمليه التنزيل)
  •        0032807: [api rest] Update Guzzle to 7.8.0 (dregad)
  •              0027840: [installation] Increase minimum PHP requirement to 7.2.5 (dregad)
  • 0032038: [email] Missing In-Reply-To header in new bugnote email notification (community)
  • 0032467: [api rest] REST API: Delete Project User (vboctor)
  • 0032726: [filters] Filtering on "projection" field is missing (dregad)
  • 0032787: [administration] Facilitate identification of user accounts sharing the same email (dregad)
  • 0032900: [security] Use PHP random_bytes() instead of our custom crypto_generate_random_string function (atrol)
  • 0032926: [administration] Disallow setting logging options in database (atrol)
  • 0032940: [administration] Add admin check to detect users without e-mail address when allow_empty_email = OFF (dregad)
  • 0032978: [code cleanup] Avatar::get() returns Avatar instance, but phpdoc indicates it returns array (vboctor)
  • 0033003: [documentation] Duplicated REST API endpoint GET /issues in Postman documentation (vboctor)
  • 0033017: [documentation] Mantis version visible in REST API request headers even when $g_show_version is OFF (dregad)
  • 0033010: [administration] PHP errors triggered by Admin Checks cause silent failure (dregad)
  • 0033018: [api rest] Update Slim Framework to 3.12.5 (dregad)
  • 0033023: [api rest] REST and SOAP APIs fail to report that Mantis is offline (dregad)
  • 0033058: [plug-ins] Unknown named parameter $files (dregad)
150 issues View Issues
Released 2023-10-14

Security and maintenance release addressing an information disclosure issue (CVE-2023-44394) and a security issue in bundled GuzzleHttp library (CVE-2023-29197). This release also resolves several PHP 8.x compatibility and REST API issues.
All installations are strongly advised to upgrade as soon as possible.

  • 0032612: [bugtracker] DEPRECATED: 'Creation of dynamic property BugData::$bug_text_id (dregad)
  • 0032459: [bugtracker] Graphics x Apple Safari 16 (atrol)
  • 0028618: [bugtracker] Category empty but required does not prevent form submission on Firefox Windows and Safari (dregad)
  • 0029438: [api rest] Unsupported operand types when an incident with time tracking notes is updated via REST API (dregad)
  • 0032390: [plug-ins] Impossible to install a plugin without any dependencies (dregad)
  • 0032432: [security] Update guzzlehttp/psr7 to 1.9.1 (dregad)
  • 0032451: [bugtracker] Email uniqueness is not enforced on case-sensitive databases (dregad)
  • 0032703: [bugtracker] Local documentation is not accessible (403) (dregad)
  • 0032788: [ui] Incorrect styling of table headers (dregad)
  • 0032809: [bugtracker] PHP 8.1 deprecation notice in user_search_cache() (dregad)
  • 0032860: [api rest] REST API allows resolving an issue with unresolved children (dregad)
  • 0032865: [html] Wrong HTML tags on "Manage Filters" page (atrol)
  • 0032889: [plug-ins] EVENT_MENU_DOCS is never triggered (dregad)
  • 0026365: [api rest] Missing Authorization header in REST API causing requests to fail (dregad)
  • 0032981: [security] CVE-2023-44394: Information Leakage on DokuWiki Integration (dregad)
15 issues View Issues
Released 2023-04-12

Hotfix release, correcting a regression on PHP 8.1 introduced in 2.25.6, and addressing a few other issues.

  • 0032862: [documentation] REST API documentation for Issue Tag Detach is incorrect (vboctor)
  • 0032086: [bugtracker] IssueViewPageCommand.php line 135: 'Undefined array key "version" with php 8.1.16 (dregad)
  • 0030127: [email] new PHPMailer() is created for every outgoing email (dregad)
  • 0032076: [bugtracker] Ampersand in $g_search_title prevents adding search engine (dregad)
  • 0032243: [plug-ins] EVENT_LOG can produce stack overflow when LOG_DATABASE is enabled (dregad)
  • 0032131: [performance] access_project_array_filter can lead to many SQL requests (dregad)
  • 0032353: [bugtracker] Getting Undefined index: target_version when viewing bug (atrol)
7 issues View Issues
Released 2023-02-22

Security and maintenance release addressing an information disclosure issue (CVE-2023-22476), with thanks to d3vpoo1 for identifying and responsibly reporting it, as well as a vulnerability in bundled moment.js library (CVE-2022-31129). This release also resolves over 20 issues including several PHP 8.x compatibility fixes.

All installations are strongly advised to upgrade as soon as possible.

  • 0030791: [security] Allow adding relation type noopener/noreferrer to outgoing links (dregad)
  • 0030841: [api rest] Update Slim Framework to 3.12.4 (dregad)
  • 0031836: [bugtracker] Date conversion fails when editing a project version using a non-US date format (dregad)
  • 0031889: [bugtracker] Product Version / Target Version - Date missing (dregad)
  • 0031086: [security] CVE-2023-22476: Private issue summary disclosure (dregad)
  • 0030772: [security] Update moment.js to 2.29.4 (dregad)
  • 0024720: [ldap] Editing user with use_ldap_email = ON empties email address (dregad)
  • 0031827: [reports] Graphviz logs syntax error in line xx near ';' (atrol)
  • 0031712: [code cleanup] PHP 8.1 deprecated warnings (dregad)
  • 0031159: [tagging] Undefined constants TAG_NOT_ATTACHED + TAG_ALREADY_ATTACHED in tag_api.php (dregad)
  • 0030922: [bugtracker] Browser extensions may trigger automatic bug monitoring (community)
  • 0030918: [markdown] URLs should only be converted to links when process_url is ON (dregad)
  • 0030835: [ui] unreachable submit button (Update Information) on issue update when using tab key (dregad)
  • 0030814: [signup] Captcha audio not working (dregad)
  • 0030794: [signup] Captcha image not showing on PHP 8.1 (dregad)
  • 0030777: [upgrade] Scalar typehint is not supported in PHP 5.x (dregad)
  • 0030793: [bugtracker] config_flush_cache() doesn't clean the eval cache for individual options (dregad)
  • 0030771: [ldap] Poor error handling when $g_login_method = LDAP and PHP extension missing (dregad)
  • 0031876: [plug-ins] XML import: Undefined property warning when importing bug notes (dregad)
  • 0030429: [other] Upcoming incompatibility with PHP 8.2, "Deprecate ${} string interpolation" RFC (dregad)
  • 0032037: [bugtracker] Remove "sponsorship_total" from columns default (dregad)
  • 0031943: [installation] Creation of dynamic properies is deprecated in PHP 8.2 (dregad)
  • 0030790: [ldap] Deprecated conversion of false to array in ldap_api.php with PHP 8.1 (dregad)
  • 0031829: [ui] Status color boxes shown in black on bug_relationship_graph.php (dregad)
  • 0022238: [documentation] Missing columns on $g_view_issues_page_columns documentation (dregad)
25 issues View Issues
Released 2022-06-24

Security and maintenance release fixing vulnerabilities with SVG files attachments (CVE-2022-33910), which are now disabled by default; instances with a custom $g_disallowed_files should add svg to the list. Support for PHP 5.6 has been restored, fixing the regression introduced in 2.25.4.

  • 0030416: [security] Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8 (dregad)
  • 0029135: [security] CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection (dregad)
  • 0030541: [documentation] Impossibility of deleting attachment with form security validation turned on (dregad)
  • 0030193: [bugtracker] PHP 5.6 support broken (dregad)
  • 0030204: [filters] Create Permalink - special characters handling (dregad)
  • 0030533: [security] Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote (community)
  • 0030384: [security] CVE-2022-33910: Stored XSS via SVG file upload (dregad)
7 issues View Issues
Released 2022-04-28

Maintenance release fixing a couple of regressions introduced in 2.25.3, loading a JavaScript library from CDN and initializing the path on PHP 5.6.

  • 0029991: [installation] Javascript error in browser console when upgrading (dregad)
  • 0024393: [db mssql] APPLICATION ERROR 401 Database query failed. Error received from database was #-52: SQLState: IMSSP (dregad)
  • 0029751: [authorization] APPLICATION ERROR #13 (access denied) while creating new user when theshold configured as MANAGER in administration interface (atrol)
  • 0029857: [bugtracker] Errors trying to load moment.js library from CDN (dregad)
  • 0029853: [bugtracker] $g_path incorrectly set in config_defaults_inc.php on PHP 5.6 (dregad)
  • 0030077: [installation] Installer's Oracle-specific warning regarding identifiers' length is shown initially for MySQL (dregad)
  • 0030178: [authorization] Update issue icon on "My View" page is displayed even without having appropriate access rights (atrol)
  • 0030182: [authorization] Update issue icon on "View Issues" page is displayed even without having appropriate access rights (atrol)
8 issues View Issues
Released 2022-04-13

Security and maintenance release, fixing vulnerabilities in CSV Export (CVE-2021-43257) and Plugins management pages (CVE-2022-26144), as well as in bundled libraries guzzlehttp/psr7 (CVE-2022-24775) and moment.js (CVE-2022-24785). It also addresses several PHP 8.1 compatibility issues.

  • 0022784: [markdown] Markdown formatting doesn't take effect on summary field in View Issues page (dregad)
  • 0029130: [security] CVE-2021-43257: CSV Injection with CSV Export Feature (dregad)
  • 0029848: [security] Update guzzlehttp/psr7 to 1.8.5 (dregad)
  • 0029846: [bugtracker] Passing null to parameter of type XXX is deprecated (dregad)
  • 0029849: [security] Update moment.js to 2.29.2 (dregad)
  • 0029485: [security] Update ADOdb to 5.20.21 (dregad)
  • 0029034: [api soap] SOAP call mc_project_get_id_from_name fails when there is no matching project in PHP 7.2 (community)
  • 0028927: [api rest] Slim Application Error when RestFault generated (community)
  • 0029845: [bugtracker] Constant FILTER_SANITIZE_STRING is deprecated (dregad)
  • 0029144: [attachments] Adding an attachment with a long filename causes "Data too long for column 'filename'" application error (dregad)
  • 0029181: [bugtracker] 'format_issue_summary' custom function not called from View Issue Details page (dregad)
  • 0029416: [ui] Missing closing div tag causes incorrect page footer display (dregad)
  • 0029462: [installation] Unable to install (dregad)
  • 0029413: [custom fields] APPLICATION ERROR 1300 Custom field not found with case-sensitive database (dregad)
  • 0029688: [security] CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php (dregad)
15 issues View Issues
Released 2021-06-15

Security and maintenance release, fixes vulnerabilities in Custom Fields management page (CVE-2021-33557) and in the PHPMailer library, as well as a PHP 8 compatibility issue.

  • 0028803: [custom fields] PHP 8: "Bad Request" error on custom field filters (dregad)
  • 0028821: [security] Update PHPMailer to 6.5.0 (dregad)
  • 0028552: [security] CVE-2021-33557: XSS in manage_custom_field_edit_page.php (dregad)
3 issues View Issues
Released 2021-05-12

Security and maintenance release, fixes a couple of vulnerabilities in PHPMailer and Chart.js libraries, as well as a few other minor issues.

  • 0028106: [administration] Error removing project (dregad)
  • 0028530: [security] Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) (dregad)
  • 0028084: [ui] Labels for email notifications in User Prefs page appear in bold (dregad)
  • 0028082: [ui] Project Edit Page does not display check boxes (dregad)
  • 0028076: [plug-ins] Bundled plugins 2.25.0: incorrect Mantis requirement (dregad)
  • 0028080: [ui] Unsightly vertical offset of the "Update Prefs" and "Reset Prefs" buttons. (dregad)
  • 0028112: [ui] Incorrect spacing between icon and text on manage_user_edit_page.php (dregad)
7 issues View Issues
Released 2021-03-07

This feature and maintenance release contains over 100 fixes and enhancements; among many other things, it improves PHP 8 compatibility, LDAP authentication and invalid plugins management. It also includes a schema change, so do not forget to upgrade the database as documented in the Admin Guide.

Please note that this will be the last release supporting PHP 5; starting with MantisBT 2.26.0, the minimum PHP version will be 7.0 - read the official announcement at

  • 0026974: [installation] Required PHP json extension not documented and checked (atrol)
  • 0027992: [documentation] Remove helper_alternate_class() calls from Developers Guide and document alternative (dregad)
  • 0026142: [plug-ins] Improve handling of invalid / incorrectly installed plugins (dregad)
  •        0017487: [plug-ins] Validate plugin folder name and name match during setup (dregad)
  •        0026143: [plug-ins] Admin checks should detect invalid / incorrectly installed plugins (dregad)
  • 0026919: [api rest] Upgrade guzzlehttp/guzzle from 6.5.2 to 6.5.5 (dregad)
  • 0015361: [ldap] Add STARTTLS Support to LDAP (community)
  • 0025981: [other] Custom Field doesn't complete with {today} when closing or resolving (dregad)
  • 0026920: [authorization] reporter allowed to close (vboctor)
  • 0027144: [code cleanup] Data integrity: ensure users' default_project preference is a valid project (dregad)
  • 0027574: [ui] Manage users edit page: inconsistent spacing between sections (dregad)
  • 0027827: [attachments] Improve pop-up description for file icons (dregad)
  • 0027118: [security] Update PHPMailer to 6.3.0 (dregad)
  • 0027828: [html] Standardize the way fontawesome icons are printed (dregad)
  • 0026811: [authentication] Username regex is too strict by default (community)
  • 0026617: [documentation] Admin Guide has various broken links, obsolete info, etc. (dregad)
  • 0026798: [administration] PHP warning in config_get_global (dregad)
  • 0026822: [ldap] LDAP configuration options can be set in database (atrol)
  • 0026821: [code cleanup] Standardize access of option database_version (atrol)
  • 0026839: [printing] Viewer does not get Selection column in View Issues or Print Reports lists (atrol)
  • 0026823: [ui] Upgrade to fontawesome version 4.7.0 (syncguru)
  • 0026840: [preferences] Non existing field name os_version used where os_build should be used (atrol)
  • 0026861: [ui] "Move" functionality offered for users that have just access to a single project (atrol)
  • 0026884: [administration] Misleading e-mail notification following password reset by admin (dregad)
  • 0026887: [sub-projects] Project Menu Bar does not indent subprojects properly (dregad)
  • 0026889: [code cleanup] Implement ConfigsGetCommand and use from REST API (vboctor)
  • 0026890: [code cleanup] Implement LocalizedStringsGetCommand and use from REST API (vboctor)
  • 0026891: [api rest] /config REST API endpoint reports users as not found when they exist (vboctor)
  • 0026892: [administration] Attachment settings not available on "Workflow Thresholds" page (atrol)
  • 0026930: [code cleanup] Use user_is_login_request_allowed() instead of duplicating the logic (dregad)
  • 0026963: [ui] Username field in Monitor box triggers password managers (vboctor)
  • 0026964: [bugtracker] Admin check always has "WARN" for magic_quotes checks (PHP 7.4) (atrol)
  • 0027005: [time tracking] User list in time tracking summary is not sorted (dregad)
  • 0027117: [administration] SQL syntax error on manage_user_page (atrol)
  • 0027122: [plug-ins] 3rd-party plugins cannot use chart.js library bundled with MantisGraph (dregad)
  • 0027123: [javascript] MantisGraph: stop using chart.js bundled build (dregad)
  • 0027124: [plug-ins] MantisGraph: update Chart.js library to v2.9.3 (dregad)
  • 0027129: [filters] Preserving filters does not work correctly on sub-sub-projects (dregad)
  • 0027155: [bugtracker] Update securimage to 3.6.8 (dregad)
  • 0011463: [localization] Confusing message when selecting a project to enter an issue (dregad)
  • 0026888: [code cleanup] Refactor printing of project selection menus (dregad)
  • 0026962: [code cleanup] Remove unused bug_monitor_list_view_inc.php file (vboctor)
  • 0026988: [preferences] issue report TOO_MANY_REDIRECTS (dregad)
  • 0027145: [code cleanup] Convert Project and User Pref APIs to use DbQuery class (dregad)
  • 0027160: [ui] Wrong page position after bugnote add/edit (atrol)
  • 0027808: [ui] Questionable UI / button on "Edit Project Category" page (atrol)
  • 0027217: [bugtracker] bugnote_clear_cache() does not work properly (dregad)
  • 0027241: [localization] Improve handling of missing language strings (dregad)
  • 0027242: [bugtracker] Allow printing of standard confirmation alerts without buttons (dregad)
  • 0027256: [bugtracker] Refactor Profiles management pages to display a list of records (dregad)
  •        0027257: [bugtracker] It is not possible to clear the Default Profile (dregad)
  •        0027259: [bugtracker] Profile-related operations lack confirmations (dregad)
  •        0027260: [ui] Confusing redirection when editing profiles (dregad)
  •        0027258: [code cleanup] Code cleanup around User/Global Profiles (dregad)
  • 0027300: [documentation] Fix discrepancies in documentation for $g_display_errors (dregad)
  • 0027302: [plug-ins] Force-installed plugins are not registered in order of priority (dregad)
  • 0027375: [filters] search field at project-selection is not working anymore (dregad)
  • 0027387: [administration] Manage user page table footer is displayed even when empty (dregad)
  • 0027384: [other] Upgrade release build scripts to Python3 (dregad)
  • 0027463: [administration] Sticky setting not available on "Workflow Thresholds" page (atrol)
  • 0027576: [custom fields] Incorrect error message when reporting issue with a custom field failing validation (dregad)
  • 0027575: [code cleanup] Remove obsolete 'posted' form param when reporting new issue (dregad)
  • 0027573: [code cleanup] PHP notice in manage_user_edit_page.php when given invalid user id (dregad)
  • 0027584: [documentation] Out of the box Mantis does not display either a Dependancy or Relationship Graph (dregad)
  • 0027700: [bugtracker] Standardize on IEEE 1541 units (KiB, MiB) for file sizes (dregad)
  • 0027701: [code cleanup] System notice in lang_error_handler (atrol)
  • 0027703: [code cleanup] Error handlers use deprecated context parameter (atrol)
  • 0027768: [administration] When deleting a project, there should be information of how many (if any) issues are affected (dregad)
  • 0027802: [code cleanup] Remove Project Info page (atrol)
  • 0008066: [bugtracker] clickable summaries in view issues page (community)
  • 0012961: [plug-ins] Plugin_force_uninstall is not declared (dregad)
  • 0025764: [email] Enable S/MIME signed e-mail notifications (dregad)
  • 0026481: [api rest] Errors in API documentation (vboctor)
  • 0027113: [sql] Error in bug_api.php when UPDATEing a bug (dregad)
  • 0027150: [performance] Non visible image previews are transferred from server to client (atrol)
  • 0027362: [installation] Sourceforge [admin/test_langs.php] File missing from installation packages ( & mantisbt-2.24.3.tar.gz) (dregad)
  • 0027796: [installation] Using an empty timezone causes PHP notice on PHP 8 (dregad)
  • 0027817: [administration] Issue revision settings not available on "Workflow Thresholds" page (atrol)
  • 0027829: [tools] TravisCI: add PHP 8.0 to tests, and switch to bionic build environment (dregad)
  • 0027830: [db postgresql] PHP 8.0 PostgreSQL builds fail due to deprecated pg_fieldsize() function (dregad)
  •        0026837: [db mssql] Update ADOdb to 5.20.20 (dregad)
  • 0027833: [code cleanup] Unneeded code for option display_project_padding (atrol)
  • 0027839: [change log] No hyperlinks in Changelog and Roadmap release notes (dregad)
  • 0027848: [ldap] Changed default $g_ldap_protocol_version from 0 to 3. (community)
  • 0027849: [ldap] LDAP server must be specified as an URI (community)
  • 0027853: [security] Printing unsanitized user input in account_prof_edit_page.php (atrol)
  • 0027881: [plug-ins] Tag attach group action doesn't trigger EVENT_TAG_ATTACHED (vboctor)
  • 0027882: [plug-ins] Create cronjob script and plugin event (vboctor)
  • 0027884: [administration] Some config options can be set in database, but should be configurable just in config_inc.php (atrol)
  • 0027914: [custom fields] Custom date field with default value left blank even when field is required (dregad)
  • 0027958: [ui] Inconsistent form input labels' font size when HTML label element is used (dregad)
  • 0027969: [api rest] Incorrect documentation for tags (vboctor)
  • 0027972: [ui] Left-align the Send Reminder textarea (dregad)
  • 0027973: [api rest] REST API update issue triggers errors if payload is empty (dregad)
  • 0027978: [ui] Horizontal rules (<hr> tag) are nearly invisible (dregad)
  • 0027981: [api soap] mc_issue_update() throws system warning when Project not specified in IssueData (dregad)
  • 0027982: [db schema] Email field in mantis_email_table is shorter than user email in mantis_user_table (vboctor)
  • 0026665: [custom fields] Custom fields with comma can't be used in Manage Config Columns page (dregad)
  • 0026903: [code cleanup] Move release scripts to main repository (vboctor)
  • 0027298: [code cleanup] Remove unused and regroup duplicated language strings (dregad)
  • 0027950: [custom fields] Validate date custom fields default value format (dregad)
  • 0027956: [custom fields] Remove need to use {} for dynamic dates in custom fields default value (dregad)
  • 0027983: [documentation] Improve Custom Fields documentation (dregad)
  • 0027993: [documentation] Host the Example Plugin from the Developers Guide in a repository in mantisbt-plugins organization (dregad)
  • 0027994: [administration] "Add Version" without entering a version number outputs "Operation successful" though no version has actually been added (dregad)
  • 0028002: [code cleanup] New API function to get User Id by cookie string (dregad)
  • 0025998: [documentation] REST API documentation (vboctor)
107 issues View Issues
Released 2021-03-05

Security and maintenance release, includes PHP 8.0 compatibility fixes.

  • 0027976: [security] CVE-2009-20001: User cookie string is not reset upon logout (dregad)
  • 0027800: [bugtracker] install.php throws SYSTEM WARNINGs (dregad)
  • 0027928: [custom fields] Unable to edit Issues having Date custom fields on PHP 8.0 (dregad)
  • 0027826: [bugtracker] ERROR_CATEGORY_NOT_FOUND_FOR_PROJECT thrown for Category '0' (dregad)
4 issues View Issues
Released 2020-12-30

Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues' contents. All installations are strongly advised to upgrade as soon as possible.

Many thanks to randomdhiraj, ethicalhcop and d3vpoo1 (, for identifying and responsibly reporting these security issues.

This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.

  • 0020690: [bugtracker] inconsistent UI for view bugnote revision (dregad)
  • 0027370: [security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary (dregad)
  • 0027361: [security] Private category can be access/used by a non member of a private project (IDOR) (dregad)
  • 0027357: [security] Attacker can leak private information via different functionality (dregad)
  •        0027726: [security] CVE-2020-29603: Disclosure of private project name (dregad)
  •        0027728: [security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments (dregad)
  •        0027727: [security] CVE-2020-29605: Disclosure of private issue summary (dregad)
  • 0027779: [security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls (dregad)
  • 0026794: [security] User Account - Takeover (dregad)
  • 0027363: [security] Fixed in version can be changed to a version that doesn't exist (dregad)
  • 0027350: [security] When updating an issue, a Viewer user can be set as Reporter (dregad)
  • 0027495: [security] CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP. (dregad)
  • 0027806: [bugtracker] Impossible to edit issues with PHP8 (dregad)
  • 0027799: [bugtracker] Adapt Error handler to PHP 8 (dregad)
  • 0027704: [javascript] Javascript error in View Issues page (dregad)
  • 0027465: [code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8 (atrol)
  • 0027464: [printing] print_manage_user_sort_link Function Parameter Required after Optional (atrol)
  • 0027444: [security] Printing unsanitized user input in install.php (atrol)
18 issues View Issues
Released 2020-09-25

Security release including 3 CVEs. Many thanks to d3vpoo1 ( for identifying most of the issues.

  • 0027304: [security] CVE-2020-25830: HTML Injection in bug_actiongroup_page.php (dregad)
  • 0027268: [security] Admin can get issues assigned to users not allowed to handle them (dregad)
  • 0027039: [security] CVE-2020-25781: Access to private bug note attachments (dregad)
  • 0027275: [security] CVE-2020-25288: HTML Injection on bug_update_page.php (dregad)
  • 0027276: [security] Send reminder to viewer (dregad)
  • 0027283: [security] Admin can set viewer as a tag creator (dregad)
  • 0027284: [plug-ins] Priority can override to any positive integer (dregad)
  • 0027299: [code cleanup] Remove code duplication in File API (dregad)
  • 0027303: [code cleanup] When processing categories, it is not necessary to know the project id (dregad)
9 issues View Issues
Released 2020-08-07

Security release

  • 0027056: [security] CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php (dregad)
  • 0027003: [security] Update PHPMailer from 6.1.4 to 6.1.6 (dregad)
2 issues View Issues
Released 2020-05-03

Security and maintenance release

  • 0026631: [security] file_get_visible_attachments shows private files that should be invisible to the user (vboctor)
  • 0026893: [security] APIs expose private attachments to users who has access to issue but not private notes (vboctor)
  • 0026781: [bugtracker] changed project order / sequence (dregad)
  • 0026805: [attachments] Attachments box is invisible when notes are private by default (vboctor)
  • 0026835: [attachments] Database Server error while adding file to project (atrol)
  • 0026838: [bugtracker] OS build field not filled in viewing mode (atrol)
  • 0026880: [administration] Impossible to reset user's password (dregad)
  • 0026881: [documentation] Documentation for REST API /users/{id}/reset missing (vboctor)
  • 0026885: [api rest] Resetting password for protected user via REST API should fail (dregad)
  • 0026921: [bugtracker] View Issue page does not show "Product Build" (wrong key names in code) (atrol)
10 issues View Issues
Released 2020-03-14
  • 0017594: [reports] Display issue Summary inside relation graph nodes (dregad)
  • 0026663: [installation] improve installer messages when generating SQL script (dregad)
  • 0026664: [installation] Allow admin to reset table pre/suffix to their default values (dregad)
  • 0026686: [bugtracker] Make category on bug_report_page a required field when $g_allow_no_category = OFF; (dregad)
  • 0026475: [email] Update phpmailer/phpmailer from 6.1.3 to 6.1.4 (dregad)
  • 0026632: [api rest] Support user password reset via REST API (community)
  • 0026598: [db mssql] Update ADOdb to 5.20.16 (dregad)
  • 0026572: [code cleanup] Remove $g_log_destination 'firebug' option, as the project is dead since 2017 (dregad)
  • 0026589: [documentation] Admin Guide: remove doc for long-deprecated $g_ldap_port config (dregad)
  • 0022142: [ui] on Roadmap progress bar 'data-percent' class could stand out better (syncguru)
  • 0026555: [reports] Wrong number of displayed rows on summary page (atrol)
  • 0026567: [code cleanup] Code Cleanup (atrol)
  • 0026473: [ui] Incorrect CSS rules get applied if a word in custom field name matches an existing CSS class (atrol)
  • 0026441: [api rest] Update GuzzleHttp from 6.4.1 to 6.5.2 (dregad)
  • 0026439: [ui] Issue list throws warning on every issue without bug notes. (dregad)
  • 0026165: [relationships] Relationship Graph - inconsistency between button label and title (dregad)
  • 0026636: [installation] Apostrophe in custom_field_string table causes upgrade from < 1.2.0 to fail (dregad)
  • 0009534: [feature] Limit reporter's access to their own issues (cproensa)
  • 0011365: [plug-ins] New Event: EVENT_MENU_ISSUE_RELATIONSHIP (dregad)
  • 0026164: [relationships] Relationship Graph page is missing legend (dregad)
  • 0026163: [relationships] Relationship Graph page UI lacks MantisBT 2.x layout (dregad)
  • 0011381: [relationships] Dependency Graph crash on circular parent child relationships (dregad)
  • 0026612: [plug-ins] Improve MantisColumn sort capability to allow sorting by more complex expressions (cproensa)
  • 0024600: [filters] BugFilterQuery - issue? - trying to add join & where conditions (cproensa)
  • 0026621: [filters] Wrong filtering by none-relationship (cproensa)
  • 0026623: [ui] Generate token with empty name and APPLICATION ERROR #11 (dregad)
  • 0021133: [rss] Access of non existent image in RSS feeds (dregad)
  • 0026778: [customization] Retire bug_change_status_page_fields config option (vboctor)
  • 0026747: [plug-ins] No equivalent to lang_get_defaulted() in plugin_api() (dregad)
  • 0026662: [installation] Final statement to set database version not logged in SQL script (dregad)
  • 0026661: [installation] Add informational comments to SQL script generated by installer (dregad)
  • 0009155: [time tracking] Cell coloring for due date indicates "overdue" when not overdue yet. (dregad)
  • 0009155: [time tracking] Cell coloring for due date indicates "overdue" when not overdue yet. (dregad)
  • 0026687: [bugtracker] Required fields when reporting an issue, should also be when updating it (dregad)
  • 0026690: [bugtracker] Mass update does not allow setting an empty category (dregad)
  • 0026712: [ui] Provide a way to 'show content' for all complex items on Manage Configuration Report page (dregad)
  • 0026765: [bugtracker] Inheritance of sub project not read correctly from database (dregad)
  • 0026541: [api rest] Passing invalid id to rest api custom field update causes program crash (dregad)
  • 0026540: [api rest] Passing unsanitized data to type hinted function causes program crash (dregad)
  • 0026542: [api rest] Passing out of range custom field id causes multiple PHP warnings / incorrect response (dregad)
  • 0026568: [installation] Use appropriate statement to update DB schema when generating SQL (dregad)
  • 0026438: [bugtracker] Allow multiple, customizable due date levels (dregad)
  •        0016869: [bugtracker] Change of due date background color (dregad)
  •        0009155: [time tracking] Cell coloring for due date indicates "overdue" when not overdue yet. (dregad)
  • 0025115: [roadmap] User can't see in roadmap a private issue that they reported (cproensa)
  • 0025097: [authentication] login username is not trimmed (dregad)
  • 0023570: [bugtracker] Implement limit_reporters as a threshold (cproensa)
  • 0021201: [localization] lang_get_defaulted does not search for fallback language (dregad)
  • 0016869: [bugtracker] Change of due date background color (dregad)
  • 0015466: [bugtracker] Reporter can't see an issue they have been made a monitor of (cproensa)
  • 0010831: [administration] how can I allow user to view only the issue that assigned to them (cproensa)
48 issues View Issues
Released 2020-03-14
  • 0026570: [bugtracker] Assigning bug from group action creates empty bugnote (atrol)
  • 0026622: [ldap] LDAP API does not cache realname information (dregad)
  •        0026600: [performance] Performance loss after update from 2.20.0 to 2.23.0 (dregad)
  • 0026482: [ui] 'View Issue' page fails to populate some fields (ex 'ID') for some projects (but not others) (atrol)
  • 0026470: [localization] Issue values on bug view page are not localized. (atrol)
  • 0026596: [installation] Wrong defaults for db (plugin) table prefix/suffix (dregad)
  • 0026610: [ui] Option history_default_visible does not work (atrol)
  • 0026575: [plug-ins] When calling bug_assign function it auto creates empty note (atrol)
  • 0026629: [ldap] LDAP API throws PHP warning when ldap_connect() fails (dregad)
  • 0026757: [bugtracker] Bugnote from reminder is always public - ignoring private checkbox state (community)
10 issues View Issues
Released 2019-12-09

This feature and maintenance release includes a schema change. Do not forget to upgrade the database as documented in the Admin Guide.

  • 0026195: [api rest] Error requesting issues using saved filter (cproensa)
  • 0026382: [javascript] Update corejs-typeahead.js library to 1.3.0 (dregad)
  • 0026139: [reports] Move MantisGraph pages to their own tab (dregad)
  • 0026086: [api rest] Update Slim Framework to 3.12.3 (dregad)
  • 0026358: [security] Vulnerability from library Moment.js 2.15.2 (dregad)
  • 0026125: [ui] "Users monitoring this issue" section not shown if nobody is monitoring the issue (dregad)
  • 0025902: [api rest] Implement IssueViewPageCommand to separate logic from rendering of issue view page (vboctor)
  • 0009802: [attachments] Support attachments associated with private notes (vboctor)
  • 0025972: [custom fields] Use custom field regular expression in the html input (cproensa)
  • 0021733: [attachments] Attachments should be linkable to notes in db (vboctor)
  • 0010107: [feature] Allow setting reminder bugnotes' view status (dregad)
  • 0026388: [security] Update ADOdb to 5.20.15 (dregad)
  • 0026150: [bugtracker] Closing issues via group action with empty note creates a bugnote record (vboctor)
  • 0024113: [attachments] Attaching files to a note creates a second note with only the attachments (vboctor)
  • 0026265: [email] Bump phpmailer/phpmailer from 6.0.7 to 6.1.3 (dregad)
  • 0026374: [api rest] Update GuzzleHttp from 6.3.3 to 6.4.1 (dregad)
  • 0025960: [attachments] Add files information to EVENT_BUGNOTE_ADD event (vboctor)
  • 0022817: [attachments] "private bugnotes" as default setting prevents uploading further attachments (vboctor)
  • 0025975: [custom fields] Manage custom fields page does not show fields in order (cproensa)
  • 0026081: [attachments] Switching note to private/public, should impact associated attachments (vboctor)
  • 0026083: [auditing] Link attachments issue history events to attachments to determine visibility (vboctor)
  • 0024577: [attachments] Deleting a note, should delete associated attachments (vboctor)
  • 0025935: [attachments] Warning for users when making public notes with attachments private (vboctor)
  • 0026094: [bugtracker] PHP notice in bug view page when viewing issue without category (dregad)
  • 0026134: [time tracking] Bugnotes time spent info is always shown even if time tracking is disabled (dregad)
  • 0026132: [time tracking] Application Error 401 when clicking Time Tracking at the bottom of a bug notes page (dregad)
  • 0026098: [documentation] Update ERD diagram to reflect new field in bug_file table (dregad)
  • 0021799: [documentation] Wrong data types in ERD (dregad)
  • 0026093: [plug-ins] Content Security Policy directive 'frame-ancestors' contains an invalid source when http_csp_add is called for it (dregad)
  • 0026092: [documentation] Invalid URL for GraphViz home page (dregad)
  • 0021712: [filters] No way to filter "negative" for checkbox custom fields (cproensa)
  • 0025905: [ui] Inline actions user experience is inconsistent between different features (syncguru)
  • 0026062: [filters] Filter for a date custom field fails when no values for this field exists (cproensa)
  • 0026128: [ui] Attachments displayed with empty user (dregad)
  • 0026123: [ui] Both "monitor" and "end monitoring" buttons are displayed (dregad)
  • 0026295: [ui] Clone button is not displayed correctly (cproensa)
  • 0026167: [performance] Issue view history api repeated calls to bug_get_attachments database query (cproensa)
  • 0026166: [performance] Issue view api uses many custom field database queries (cproensa)
  • 0009363: [attachments] Comments on attachments (vboctor)
  • 0026141: [custom fields] Use max length property of custom field in inputs (cproensa)
  • 0026109: [db postgresql] check_pgsql_bool_columns: check wrongly suggests that the redirect_delay should be in boolean format (dregad)
  • 0026102: [attachments] Support inline playing of video attachments (vboctor)
  • 0026096: [documentation] preview_*_extensions config options not documented (vboctor)
  • 0026095: [attachments] Support inline playing of audio attachments (vboctor)
  • 0026002: [email] "Email on monitoring" not configurable in manage_config_email_page (cproensa)
  • 0026082: [attachments] Create a place holder note when submitting attachments without text (vboctor)
  • 0026326: [bugtracker] Tags are not copied from master issue when cloning (community)
  • 0026353: [tagging] Tag attachments list includes tags already attached to the bug (dregad)
  • 0026368: [administration] Custom fields selector in manage project page are not ordered by name (cproensa)
  • 0026119: [tagging] Add $g_tag_create_threshold to Workflow Thresholds in the GUI (dregad)
  • 0026294: [ui] Attachments without note text are not displayed (cproensa)
  • 0026367: [administration] Use empty value as default project in "manage project" subproject section (cproensa)
  • 0026030: [custom fields] Filter value "none" is not available for multiselection list custom fields (cproensa)
53 issues View Issues
Released 2019-12-09

Bugfix release

  • 0026351: [preferences] Field "EXCEL columns" has space or tabulation (dregad)
1 issue View Issues
Released 2019-09-26

Security release for 1.3.x series.

  • 0026162: [security] CVE-2019-15715: Command Execution / Injection Vulnerability (dregad)
1 issue View Issues
Released 2019-09-25

Security release for 2.22.x series.

  • 0026110: [administration] [Show content] for Complex Configuration option doesn't work when mod_rewrite is disabled (dregad)
  • 0026091: [security] CVE-2019-15715: [Admin Required - Post Authentication] Command Execution / Injection Vulnerability (atrol)
  • 0026160: [security] Update bundled Bootstrap to 3.4.1 (CVE-2019-8331) (dregad)
  • 0026168: [security] Enable integrity hashes for CSS ressources from CDNs (dregad)
4 issues View Issues
Released 2019-08-31
  • 0026078: [security] CVE-2019-15539: Stored XSS on Project Documentation (atrol)
1 issue View Issues
Released 2019-08-30
  • 0026079: [security] CVE-2019-15539: Stored XSS on Project Documentation (atrol)
  • 0025856: [api soap] SOAP API return value does not match definition in WSDL (dregad)
2 issues View Issues
Released 2019-08-26

Feature and maintenance release.

  • 0025362: [api rest] REST API support for multiple authorization headers (community)
  • 0025969: [other] bug_report_page is forced to be cached (cproensa)
  • 0024189: [bugtracker] Status color squares become black (cproensa)
  • 0029198: [installation] End of Internet Explorer 11 support (dregad)
  • 0025784: [html] Invalid HTML in manage_config_workflow_page.php (dregad)
  • 0025850: [bugtracker] PHP Notices in User API (dregad)
  • 0025961: [tools] PHPUnit tests as run by Travis CI builds do not execute all defined suites (dregad)
  • 0025951: [plug-ins] MantisGraph: update Chart.js library to v2.8.0 (dregad)
  • 0025910: [administration] Simplify displaying of complex values in adm_config_report page (cproensa)
  • 0025839: [html] Leading newlines disappear when editing data in textarea elements (dregad)
  • 0022518: [reports] Graph too large to fit in browser viewport (cproensa)
  • 0021797: [attachments] Add support for pasting images as attachments (syncguru)
  • 0025774: [installation] Reflect PHP requirements in Composer config (dregad)
  • 0006128: [bugtracker] Ability to add monitors to a bug when the bug is first reported (dregad)
  • 0025851: [printing] Remove hyperlinks on usernames in Word export (dregad)
  • 0025162: [plug-ins] Improve plugin schema upgrade error message (dregad)
  • 0025849: [code cleanup] New prepare_mailto_url() API function (dregad)
  • 0025848: [code cleanup] Remove get_email_link() API function (dregad)
  • 0025827: [documentation] Improve documentation for monitors-related configs (dregad)
  • 0025749: [bugtracker] error_string() does not allow HTML tags inside of error messages (dregad)
  • 0025815: [bugtracker] Users can't add monitors if access < show_monitor_list_threshold and >= monitor_add_others_bug_threshold (dregad)
  • 0025470: [api soap] SOAP API return value does not match definition in WSDL (dregad)
  • 0025826: [administration] Impossible to set add/remove monitors thresholds from manage page (dregad)
  • 0025962: [bugtracker] IssueAddCommand does not create history entries identical to the code it replaced (vboctor)
  • 0026077: [api rest] IssueAddCommand should create tag specified by name if they do not exist (dregad)
  • 0026076: [api rest] Adding issue via REST API should fail if requested tags can't be attached (dregad)
  • 0026075: [tagging] Tag-related error messages should reference the tag's name (dregad)
  • 0026074: [tagging] Creating an invalid tag should fail with an error (dregad)
  • 0026066: [plug-ins] Gravatar Plugin Description (atrol)
  • 0026063: [code cleanup] Glue after String Array is being Deprecated (dregad)
  • 0025997: [api rest] Invalid JSON response when creating issue with tag by name via REST API (dregad)
  • 0025996: [api rest] Missing tag name in error message when creating issue via REST API (dregad)
  • 0022898: [security] Email for a new private bugnote was send to a non authorized reporter (dregad)
  • 0025963: [ui] Gravatar plugin should always use https (vboctor)
  • 0023725: [time tracking] Time tracking box rendering is broken (syncguru)
  • 0025953: [plug-ins] Missing an API function to check if a plugin event has been declared (dregad)
  • 0025952: [code cleanup] MantisGraph: define Chart.js-related constants in the plugin (dregad)
  • 0024441: [tagging] Report issue doesn't support multiple new tags (dregad)
  • 0025914: [plug-ins] EVENT_BUGNOTE_DATA event not documented in developer manual (dregad)
  • 0025911: [javascript] Improve client-side sortable tables script (cproensa)
  • 0024590: [plug-ins] Add EVENT_MENU_MAIN_FILTER to allow complete customisation of main menu (dregad)
  • 0025904: [documentation] Admin guide: remove reference to unmaintained Firefox add-on (dregad)
  • 0025894: [code cleanup] Remove unused $p_can_report_only parameter in layout_navbar_projects_list() (dregad)
  • 0025686: [bugtracker] Replace mailto: by link to user profile page in view.php (dregad)
44 issues View Issues
Released 2019-08-19

Security release for 2.21.x series.

  • 0025995: [security] CVE-2019-15074: Stored XSS Vulnerability in Timeline (dregad)
1 issue View Issues
Released 2019-06-13

Maintenance release for 2.21.x series.

  • 0025734: [administration] LOGFILE_NOT_WRITABLE error triggered if file does not exist (dregad)
  • 0025722: [administration] Wrong access_level settings when updating rights in the project admin page (cproensa)
  • 0025742: [other] Summary "By Date (days)" gets wrong number (cproensa)
  • 0025763: [attachments] File upload timeout (atrol)
  • 0025781: [reports] Summary statistics db error message (cproensa)
  • 0025783: [administration] Button label truncated on manage_config_workflow_page (dregad)
6 issues View Issues
Released 2019-04-20
  • 0019642: [administration] If log file is not writable, log_event() fails silently (dregad)
  • 0025703: [api rest] Update Slim Framework to 3.12.1 (vboctor)
  • 0023694: [plug-ins] View Issue page menu links from EVENT MENU_ISSUE event are wrapped with "[", "]" characters (dregad)
  • 0025695: [bugtracker] Redirect to the new issue's page after reporting it (community)
  • 0025614: [installation] Missing file (api/rest/web.config) in installer (dregad)
  • 0025682: [ui] Show Invite button for users with manage users access level, not just administrators (community)
  • 0025679: [ui] Uneven distribution of boxes on My View page when Timeline is OFF (dregad)
  • 0025664: [ldap] LDAP documentation - Remove invalid 'hostname:port' example (dregad)
  • 0025651: [performance] Update color when new Status is selected in Bug Update Page (dregad)
  • 0025650: [ui] Show status with a color square instead of background color on Bug Update Page (dregad)
  • 0025631: [administration] PHP Notice or incorrect file+line number when displaying DEPRECATED error (dregad)
  • 0025629: [administration] E_USER_DEPRECATED errors are no longer displayed inline (dregad)
  • 0023550: [customization] Modification to status colors css (dregad)
  • 0023418: [ui] Plugin tab in Summary section not highlighted when selected (community)
  • 0023333: [filters] sub-project assignments missing from project-specific My View page (cproensa)
  • 0022972: [documentation] Upgrade guide does not mention plugins (dregad)
  • 0022143: [documentation] Encoding of custom files not documented (dregad)
  • 0022104: [ui] My View Page layout misses some boxes (dregad)
  • 0022096: [timeline] My View page without timeline does not respect the $g_my_view_boxes_fixed_position setting (dregad)
  • 0025594: [ui] Projects menu search box should be hidden when having a small number of projects (cproensa)
  • 0023037: [ui] Focus on project search (cproensa)
  • 0025688: [api rest] Inconsistent naming of username field in REST API (community)
  • 0025693: [performance] Improve performance of Summary Page queries (cproensa)
23 issues View Issues
Released 2019-04-20
  • 0025675: [security] CVE-2019-10905: Update Parsedown library to 1.7.3 (dregad)
  • 0025621: [security] vendor folder is not protected (vboctor)
  • 0025661: [bugtracker] Project versions disappear when set "obsolete" (cproensa)
  • 0025697: [html] Viewing Issues > print reports, csv export, excel export - broken links (dregad)
4 issues View Issues
Released 2019-03-16

Feature release

  • 0021931: [reports] Filtered Summary (cproensa)
  • 0020054: [administration] Cant modify configuration for All projects if only one project exists (cproensa)
  • 0005151: [administration] Can't update user's project-specific access level (dregad)
  • 0025390: [tools] Travis CI builds fail for PHP 7.3 (dregad)
  • 0025368: [administration] Manage project, copy from/to forms are easy to click accidentally and don't ask for confirmation (cproensa)
  • 0025436: [email] Bump phpmailer/phpmailer from 6.0.6 to 6.0.7 (dregad)
  • 0024672: [security] Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042) (atrol)
  • 0025213: [rss] RSS feeds broken when using PHP >= 7.0 (atrol)
  • 0025523: [plug-ins] MantisGraph: improve handling of colors in Pie charts (dregad)
  • 0025488: [reports] Update Chart.js to 2.7.3 (atrol)
  • 0025437: [api rest] Update Slim Framework to 3.12.0 (dregad)
  • 0025403: [documentation] $g_notify_new_user_created_threshold_min is ignored on new account creation (atrol)
  • 0025387: [ui] MantisGraph: redundant subtitle on Issue Trends page (dregad)
  • 0025386: [ui] Incorrect spacing between submenu and main div for some MantisGraph screens (dregad)
  • 0025442: [db mssql] Wrong/duplicate bugnote_text_id in mantis_bugnote_table (cproensa)
  • 0025385: [ui] Summary page submenu not aligned when screen narrower than buttons (dregad)
  • 0025381: [api rest] Get project doesn't return all versions (atrol)
  • 0025408: [documentation] Minor documentation fixes (atrol)
  • 0025429: [api rest] Undefined variable t_show_detailed_errors in API REST (dregad)
  • 0025210: [reports] Script error in graphs (cproensa)
  • 0025174: [excel] Float custom field saved as String in XML-Excel export (atrol)
  • 0025168: [reports] MantisGraph. Reporter graph does not fit width of page (dregad)
  • 0025164: [reports] MantisGraph, implement filtered summary for graphs (cproensa)
  • 0025466: [reports] SYSTEM NOTICE on graph pages (atrol)
  • 0025109: [html] Filter widget does not hide botton bar when collapsed (cproensa)
  • 0004624: [feature] Add filtered summary (cproensa)
  • 0014656: [reports] Filter by dates in Summary Graphs (cproensa)
  • 0017304: [documentation] Manual does not describe variable "g_from_name" (atrol)
  • 0020069: [code cleanup] default_email_on_status, misleading comments in config_defaults (atrol)
  • 0023045: [feature] Usability suggestion at Report Issue screen (atrol)
  • 0023904: [performance] Massive queries to user table in edit project (cproensa)
  • 0024347: [security] web.config file is missing in api/rest (community)
  • 0024549: [filters] Permalink - Filter lose information after click on view issues (cproensa)
  • 0024775: [filters] Improve presentation of temporary filters (cproensa)
  • 0024776: [filters] Switching simple/advanced for a temporary filter loses the filter (cproensa)
  • 0025130: [administration] "Check Installation" is missing from Admin menu (dregad)
  • 0025463: [attachments] Dropzone max-filesize option is not correct (cproensa)
  • 0025456: [sql] Page adm_config_report has queries missing db_param_push() (cproensa)
  • 0025522: [plug-ins] MantisGraph: limit number of slices in By Category pie chart (dregad)
  • 0025524: [plug-ins] MantisGraph: improve display of By Category Bar chart (dregad)
  • 0025532: [relationships] Error when adding a relationship if bug id contains whitespace as prefix or suffix (dregad)
  • 0025455: [ui] Page adm_config_report, users in filter list are not correctly ordered (cproensa)
  • 0025515: [api rest] Simple and Advanced filters are not consistent for handling sub-project issues (cproensa)
  • 0025464: [attachments] Enforce max-filesize in dropzone to alert and drop big files before form submission (cproensa)
  • 0025465: [attachments] Dropzone preview does not work (cproensa)
  • 0025454: [ui] Page adm_config_report does not cache users and generate many database queries (cproensa)
  • 0025533: [relationships] When adding multiple relationships, ignore source issue and empty issue ids (dregad)
  • 0025572: [attachments] Redesign Dropzone file previews (cproensa)
  • 0025446: [ui] 'show_queries_count' is a global setting, but 'show_memory_usage', 'show_timer' are not (atrol)
  • 0025434: [email] check all/ uncheck all checkbox for email notifcation (cproensa)
  • 0025400: [api rest] Allow adding/updating/deleting subprojects via REST API (community)
  • 0025378: [ui] Provide sortable functionality to simple tables (cproensa)
  • 0025217: [ui] Enable selection of a range in checkboxes lists. (cproensa)
  • 0025165: [reports] Summary doesn't honour issue access (dregad)
  • 0025163: [reports] MantisGraph summary links don't hghlight current graph page (cproensa)
  • 0025133: [ui] Project selection is shown even if the user has no accesible projects (cproensa)
  • 0025102: [api rest] /api/rest/issues endpoint supposedly returns all issues, but doesn't (community)
  • 0025110: [authentication] Token error when login with a newly created user (cproensa)
  • 0024821: [code cleanup] Wrong caching in version API (cproensa)
  • 0023245: [performance] project versions are not cached efficiently (cproensa)
  • 0022100: [code cleanup] Take care of released/obsolete flag when accessing version_cache_array_rows() cache (cproensa)
  • 0022099: [reports] Missing pie chart in "By Category Graphs" (cproensa)
  • 0012261: [filters] Cannot filter by versions of parent project when child project selected (cproensa)
  • 0009757: [reports] View Issues - Select a Filter - Graph are not linked on this choice (cproensa)
64 issues View Issues
Released 2019-03-16

Maintenance release for 2.19.x series.

2 issues View Issues
Released 2019-03-16

Security and PHP compatibility fixes

  • 0025180: [security] Update ADOdb from 5.20.9 to 5.20.14 for security and compatibility fixes (dregad)
1 issue View Issues
Released 2019-01-02
  • 0025002: [custom fields] Error when updating content in a custom field of type "Text Area" ("Textbereich"): History cannot be stored (atrol)
  • 0024986: [api rest] Update Guzzle to 6.3.3 (dregad)
  • 0024990: [email] Update PHPMailer to 6.0.6 (dregad)
  • 0024987: [api rest] Update Slim Framework to 3.11.0 (dregad)
  • 0024931: [signup] PHP warnings and errors when trying to signup existing user (atrol)
  • 0024989: [bugtracker] Update ADOdb to 5.20.13 (dregad)
  • 0025112: [other] Link to create new user is a form and prevents reloading (cproensa)
  • 0021284: [installation] memory_limit test fails when memory_limit is set to -1 (atrol)
  • 0025116: [roadmap] Manage workflow thresholds does not have the option for "view roadmap" (cproensa)
  • 0025099: [authentication] Auth plugins can't control session expiry time and disable perm login (vboctor)
  • 0025061: [authentication] Generic error is triggered when anonymous login is not defined (dregad)
  • 0025072: [filters] Could not use the FilterBugList filter with "Permalink" (community)
  • 0025059: [administration] View User Page: hide footer at bottom of User Info table when not needed (dregad)
  • 0025100: [plug-ins] Display header fails when no user is authentication and anonymous login is off (vboctor)
  • 0025043: [code cleanup] Code Cleanup (atrol)
  • 0025042: [administration] Add some more information to view_user_page (atrol)
  • 0025033: [installation] Warning with PHP 7.3: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? (atrol)
  • 0025016: [bugtracker] Default projection is ignored (atrol)
  • 0024988: [email] Update Disposable Email Checker to 3.1.0 (dregad)
  • 0024976: [ui] Sidebar's collapsed state is not preserved (dregad)
  • 0024932: [preferences] "Manage" menuitem visible even though no access (atrol)
  • 0024925: [administration] Misleading Message in the creation of user (atrol)
  • 0024896: [authentication] Password managers don't work with password login page (cproensa)
  • 0024882: [relationships] relationship_can_resolve_bug function problem (atrol)
  • 0024877: [bugtracker] IssueNoteAddCommand: reassign_on_feedback doesn't work if reporter is not specified (vboctor)
  • 0023712: [authentication] auth_get_current_user_id can return strings while that is not expected (vboctor)
26 issues View Issues
Released 2019-01-02
2 issues View Issues
Released 2019-01-02
  • 0025129: [code cleanup] Remove usage of deprecated function __autoload (atrol)
  • 0025131: [security] Update PHPMailer to 5.2.27 (dregad)
2 issues View Issues
Released 2018-10-17

Feature release

  • 0024774: [tagging] Error Creating Issue with new TAG (vboctor)
  • 0024822: [code cleanup] Code Cleanup (atrol)
  • 0024741: [plug-ins] Plugin Columns - Export CSV or Excel - PHP 7.2.7 - crash error 500 - Reason missing 2 argument in call (dregad)
  • 0010411: [bugtracker] Changes to project_view_state and view_state to create only private projects (vboctor)
  • 0024520: [html] Missing fallback for "Open Sans" font (community)
  • 0024823: [performance] Performance enhancements of string processing (atrol)
6 issues View Issues
Released 2018-10-16

Maintenance release for 2.17.x series.

  • 0024814: [security] CVE-2018-17783: XSS in manage_filter_edit_page.php (atrol)
  • 0024813: [security] CVE-2018-17782: XSS in manage_filter_page.php (atrol)
2 issues View Issues
Released 2018-09-25

Security fix for 2.17.x release

  • 0024731: [security] CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php (dregad)
1 issue View Issues
Released 2018-09-04

Feature release

  • 0012677: [administration] Please change a search option to manage users (atrol)
  • 0024632: [tagging] Tag cannot be selected if a tag containing the text of that tag has already been selected (atrol)
  • 0024616: [relationships] relationship visibility in different project permission (atrol)
  • 0024633: [bugtracker] Late error message when trying to resolve issues (atrol)
  • 0024635: [authorization] Wrong box visibility on My View page (atrol)
  • 0024719: [administration] Impersonate User is offered for disabled users (atrol)
  • 0024717: [api soap] Add filter for the “last updated“ date in the soap api (community)
  • 0024696: [authorization] Custom fields can be changed without having update_bug_threshold access rights (atrol)
  • 0024644: [ui] Footer displays behind sidebar on bug_actiongroup.php (dregad)
  • 0024643: [ui] bug_actiongroup and custom bug_actiongroup don't provide the same user experience when displaying error message (dregad)
  • 0024636: [api rest] Add function to delete a project via REST API (vboctor)
  • 0024624: [api rest] Add function for updating a project via REST (community)
  • 0024622: [api rest] Add function for creating a new project via REST (community)
  • 0023915: [administration] Search for a part of (Real Name - Username - Email) (atrol)
  • 0023336: [html] Inline image attachments should have their own container to prevent scrolling (atrol)
  • 0020101: [api soap] mc_filter_search_issues can't filter by date (community)
16 issues View Issues
Released 2018-09-04

Maintenance release for 2.16.x series.

  • 0024647: [security] CVE-2018-14895: XSS in bug_actiongroup.php (atrol)
1 issue View Issues
Released 2018-09-03

Maintenance release for 1.3.x series.

  • 0024648: [security] CVE-2018-14895: XSS in bug_actiongroup.php (atrol)
1 issue View Issues
Released 2018-07-30

Feature release

  • 0024416: [upgrade] Improve handling of unserialize errors when upgrading (dregad)
  • 0022083: [ui] Local copy of Open Sans font does not include Latin-ext characters (atrol)
  • 0023978: [ui] Fonts are not rendered correctly in Windows clients (atrol)
  • 0023992: [ui] Font = Times News Roman after Upgrade from v2.7.0 (atrol)
  • 0024501: [installation] MantisBT on Windows - Check for php_fileinfo.dll enabled on php.ini (atrol)
  • 0024523: [performance] Unneeded information in Change Log and Roadmap (atrol)
  • 0024552: [code cleanup] Code Cleanup (atrol)
  • 0024553: [performance] Performance enhancement of config_get_global function (atrol)
  • 0024564: [timeline] Missing display of events in Timeline if All Projects is selected (atrol)
  • 0024578: [documentation] Documentation: PHP documentation link: "installation.php" -> "install.php" (dregad)
  • 0024579: [documentation] Documentation: Admin Guide: Installation: Broken Link "Microsoft IIS", is now (dregad)
  • 0021376: [upgrade] Error in upgrade process 1.2.17 --> 1.3.0 (dregad)
12 issues View Issues
Released 2018-07-30

Maintenance release for 2.15.x series.

  • 0024580: [security] CVE-2018-13055: Reflected XSS in view filters page (dregad)
  • 0024608: [security] CVE-2018-14504: XSS in edit filters page (atrol)
2 issues View Issues
Released 2018-06-05
  • 0024437: [filters] Cannot save private filter if not allowed to save shared filter (community)
  • 0024496: [wiki] URL encoding precludes reasonable wiki root_namespace values (community)
  • 0024242: [bugtracker] Incorrect issue status setting when changing status (vboctor)
  • 0024388: [api rest] Support create project versions via REST API (vboctor)
  • 0024398: [tagging] Exception Missing Class (atrol)
  • 0024432: [security] Update-Blocker:User-ID instead of Realname 0024139 as due to security policy requirements which prohibit IDs in mails and masks (atrol)
  • 0024435: [filters] show_user_realname_threshold is not considered when sorting by reporter or handler (atrol)
  • 0024436: [ui] Selecting users is not easy if show_realname is set to ON (atrol)
  • 0024470: [other] System warning if $g_log_destination = 'page' when using PHP 7.2 (atrol)
  • 0024462: [api soap] Error while querying for issue header with PHP 7.2 (atrol)
  • 0024476: [performance] Unneeded <meta> tag in <head> section (atrol)
  • 0024139: [ui] $g_show_realname for making usernames private (atrol)
12 issues View Issues
Released 2018-04-30
  • 0024336: [administration] Plugin priority changed without being changed by user interaction (atrol)
  • 0024192: [bugtracker] Update ADOdb to 5.20.12 (dregad)
  • 0024236: [code cleanup] IssueAddCommand Prevents API Folder Removal (atrol)
  • 0024174: [code cleanup] E_DEPRECATED error on php7.2: each() function (dregad)
  • 0024196: [api rest] Update Slim Framework from 3.8.1 to 3.9.2 (vboctor)
  • 0024197: [api rest] Update GuzzleHttp from 6.3.0 to 6.3.2 (vboctor)
  • 0024220: [documentation] Wrong documentation of datetime_picker_format in Admin Guide (atrol)
  • 0024325: [code cleanup] Code Cleanup (atrol)
  • 0024326: [documentation] Wrong documentation of my_view_boxes in Admin Guide (atrol)
  • 0024333: [api rest] Support getting a single project via REST API (vboctor)
10 issues View Issues
Released 2018-04-29

Maintenance release for 2.13.x series.

  • 0024221: [security] CVE-2018-9839: Private issues accessible to unauthorized users using the "Clone" functionality (dregad)
  • 0024233: [markdown] Markdown quoting rendered with broken HTML (atrol)
  • 0024239: [email] Inconsistent realname display (atrol)
  • 0024335: [api rest] Get all filter or specific filter returns incorrect information (vboctor)
  • 0024343: [api rest] REST API returns too much info for default category handler (vboctor)
  • 0024346: [api rest] Don't show category default handler for users that can't manage the project (vboctor)
  • 0024349: [api soap] API method mc_filter_get does not work (vboctor)
  • 0024353: [code cleanup] mb_internal_encoding no longer being set because of removal utf8 library (atrol)
  • 0024355: [bugtracker] SYSTEM WARNING 'count(): Parameter must be an array or an object that implements Countable' in 'IssueNoteAddCommand.php (atrol)
9 issues View Issues
Released 2018-04-29

Security fixes release for 1.3.x series.

  • 0024365: [security] CVE-2018-9839: Private issues accessible to unauthorized users using the "Clone" functionality (dregad)
1 issue View Issues
Released 2018-04-04

Maintenance release for 2.13.x release series.

  • 0024202: [markdown] Broken rendering of @ mentions, # issue and ~ note links (atrol)
1 issue View Issues
Released 2018-04-04

Maintenance release for 2.12.x release series.

  • 0024201: [markdown] Broken rendering of @ mentions, # issue and ~ note links (atrol)
1 issue View Issues
Released 2018-04-01

Feature release

  • 0023998: [code cleanup] Implement IssueAddCommand and use it from SOAP, REST and Web UI (vboctor)
  • 0024056: [custom fields] Custom Fields of type "Textarea" cannot contain more than 255 chars due to bug_history table (atrol)
  • 0023161: [timeline] Show File Attachment events in Timeline (dregad)
  • 0024128: [administration] Unable to start system check or installation with wrong PHP version (atrol)
  • 0010853: [filters] In View Issues list, several columns are sorted by Id instead of display value (cproensa)
  • 0021404: [filters] System Error on changing filters (dregad)
  • 0016070: [email] Delay due to Mantis trying sending emails to non existent address (vboctor)
  • 0023498: [filters] Filtering "note by" with "none" does not return any result (cproensa)
  • 0024009: [api soap] Add Issue SOAP API doesn't add the issue to recent list (vboctor)
  • 0024008: [api rest] Add Issue REST API doesn't add the issue to recent list (vboctor)
  • 0024007: [api soap] Add Issue SOAP API doesn't trigger EVENT_REPORT_BUG plugin event (vboctor)
  • 0024006: [api rest] Add Issue REST API doesn't trigger EVENT_REPORT_BUG plugin event (vboctor)
  • 0024005: [api soap] Add Issue SOAP API doesn't trigger issue_create_notify custom function (vboctor)
  • 0024004: [api rest] Add Issue REST API doesn't trigger issue_create_notify custom function (vboctor)
  • 0024003: [api soap] Add Issue SOAP API doesn't trigger issue_create_validate custom function (vboctor)
  • 0024002: [api rest] Add Issue REST API doesn't trigger issue_create_validate custom function (vboctor)
  • 0024001: [api soap] Add Issue SOAP API doesn't trigger EVENT_REPORT_BUG_DATA plugin event (vboctor)
  • 0024000: [api rest] Add Issue REST API doesn't trigger EVENT_REPORT_BUG_DATA plugin event (vboctor)
  • 0023999: [code cleanup] Implement IssueDeleteCommand and use it from SOAP, REST, and Web UI (vboctor)
  • 0008167: [filters] Filter settings saved when using Anonymous account (cproensa)
  • 0007264: [filters] Not able to filter issues that have no relationship assigned (cproensa)
  • 0008204: [filters] Filters not remembered when clicking through from "My View" (cproensa)
  • 0023214: [performance] Remove usage of outdated phputf8 library (atrol)
  • 0022785: [api rest] Support adding attachments when reporting issues (vboctor)
  • 0023549: [db mysql] Entering Emojis in comments with a user mention crashes with an error (atrol)
  • 0024140: [filters] Application error 401: "ORDER BY clause is not in SELECT list" when sorting by category or project (cproensa)
  • 0024089: [authentication] POST request to login_password_page.php return 405 when admin folder is deleted or access restricted (atrol)
  • 0013177: [filters] On ‘View Issues’ Page the filter does not allow user to select ‘blank’ ('No Category') Category (cproensa)
  • 0024042: [filters] filter on relationships mistuned by switching sort order (cproensa)
  • 0021865: [filters] Filter out duplicated issues (cproensa)
  • 0021867: [filters] Filter filed "relationships" resets its value when "duplicate of" is selected (cproensa)
  • 0023476: [bugtracker] Can't login if admin directory has restricted access (atrol)
  • 0023499: [filters] Filtering with "note by" shows results from private notes for unprivileged users (cproensa)
  • 0023500: [filters] Search filter returns matches in private notes for unprivileged users (cproensa)
  • 0023501: [filters] Filter "monitored by" does not have option for "none" (cproensa)
  • 0023502: [filters] Filter "assigned to" does not account for configuration "view_handler_threshold" (cproensa)
  • 0023504: [filters] Filter "monitored by" does not account for configuration "show_monitor_list_threshold" (cproensa)
  • 0023506: [filters] Filter tags inconsitent with OR filter operator (cproensa)
  • 0023538: [filters] Filter field for relationship bug id is set to -1 by default (cproensa)
  • 0022376: [documentation] Wrong documentation of string customization (atrol)
  • 0024158: [bugtracker] Support providing a default value for issue description (vboctor)
  • 0024159: [documentation] $g_default_bug_steps_to_reproduce not documented (vboctor)
  • 0024160: [documentation] $g_default_bug_additional_info not documented (vboctor)
43 issues View Issues
Released 2018-04-01

Maintenance release for 2.12.x

  • 0024077: [timeline] Hyperlink usernames in timeline to user page (vboctor)
  • 0024090: [ui] Username (Realnames) format not showing on timeline (my_view_page) (vboctor)
  • 0024186: [security] CVE-2018-1000162: XSS vulnerability in Parsedown library (dregad)
  •        0024297: [security] Update Parsedown library to 1.7.1 (dregad)
  • 0024167: [bugtracker] History entries display realname instead of username (atrol)
  • 0024097: [ui] Account page required change password on any field modification (atrol)
  • 0024161: [timeline] Wrong color of username in timeline (atrol)
7 issues View Issues
Released 2018-03-04

Feature release

  • 0023966: [code cleanup] Option session_handler not implemented (atrol)
  • 0023375: [mentions] It is hard to @ mention users when show realnames is enabled (vboctor)
  • 0010493: [code cleanup] Non-existent duplicate_realname column is updated by various functions in user_api.php (vboctor)
  • 0022509: [mentions] users with dashes in their name will not work when @mentioned (example @r-frank) (community)
  • 0023960: [plug-ins] EVENT_AUTH_USER_FLAGS should always be passed username rather than name (vboctor)
  • 0023961: [timeline] Identify Timeline tags operations with a specific icon (dregad)
  • 0023969: [performance] Minor performance and code enhancements of config functions (atrol)
  • 0024020: [localization] Update supported languages (siebrand)
  • 0024043: [ldap] $g_ldap_realname_field generates WARNING: field 'givenName' does not exist. (community)
9 issues View Issues
Released 2018-02-11

Maintenance release for 2.11.x series.

  • 0023955: [administration] Warning message on login page (atrol)
  • 0023954: [api rest] REST API doesn't work from UI for some users (vboctor)
2 issues View Issues
Released 2018-02-07

Feature release

  • 0023868: [api rest] Support deleting issue relationships via REST API (vboctor)
  • 0023706: [administration] trigger_error() with errors must terminate scripts rather than being config based (vboctor)
  • 0023876: [installation] Running admin/check fails (dregad)
  • 0023838: [api rest] Create user via REST API (vboctor)
  • 0023942: [bugtracker] Remove deprecated "errcontext" parameter from standard error handler (dregad)
  • 0023925: [security] Site path leakage in error handler (vboctor)
  • 0023837: [code cleanup] Implement UserCreateCommand to create users (vboctor)
  • 0023754: [code cleanup] Remove unused function print_bracket_link and code cleanup (atrol)
  • 0023758: [ui] Allow users to select font family that fits them best (syncguru)
  • 0023900: [administration] Unable to update user access level, due to check on 'Realname' returning KO (APPLICATION ERROR #807) (vboctor)
  • 0023776: [attachments] Support adding attachments that were not uploaded via the browser (vboctor)
  • 0023899: [api rest] Relationship type was localized in GET issue API (vboctor)
  • 0023780: [api rest] Return status code 429 when hitting spam check limits (vboctor)
  • 0023830: [security] Update PHPMailer to 5.2.26 (dregad)
  • 0023787: [administration] Protected admin users can't be unprotected (atrol)
  • 0023786: [code cleanup] Implement IssueNoteDeleteCommand for deleting notes (vboctor)
  • 0023785: [api rest] Adding notes via SOAP and REST API with time tracking uses incorrect access check (vboctor)
  • 0023784: [api rest] REST and SOAP API send two email notifications for mentioned users (vboctor)
  • 0023773: [api rest] Support time tracking when adding notes via REST API (vboctor)
  • 0023772: [api rest] Support attachments when adding notes via REST API (vboctor)
  • 0023762: [api rest] Support adding users to monitor an issue via REST API (vboctor)
  • 0023714: [api rest] Failing REST API requests should include Mantis error code and localized message (vboctor)
  • 0012978: [code cleanup] Summary - Time Stats For Resolved Issues (days) (dregad)
  • 0023898: [api rest] Some relationships are not formatted correctly in GET issue rest API (vboctor)
  • 0023867: [code cleanup] Implement IssueRelationshipDeleteCommand (vboctor)
  • 0023866: [api rest] Support adding relationships via REST API (vboctor)
  • 0023865: [code cleanup] Implement IssueRelationshipAddCommand to add relationships (vboctor)
  • 0023863: [reports] Summary: Reporter and Developer by Resolution miss a Total column (dregad)
  • 0023858: [api rest] Add REST API to detach a tag (vboctor)
  • 0023856: [code cleanup] Implement TagDetachCommand to detach tags (vboctor)
  • 0023855: [code cleanup] Implement TagAttachCommand for attaching tags (vboctor)
  • 0023854: [reports] Summary: always show the "By Project" box (dregad)
  • 0023840: [api rest] Delete user via REST API (vboctor)
  • 0023839: [code cleanup] Implement UserDeleteCommand for deleting users (vboctor)
  • 0023828: [api rest] Support adding attachments to existing issues via REST API (vboctor)
  • 0023796: [reports] Filter links for resolved/closed custom statuses in Summary By Status report are incorrect (dregad)
  • 0023857: [api rest] Add REST API to attach a tag (vboctor)
  • 0023774: [code cleanup] Implement IssueNoteAddCommand to share code for adding notes (vboctor)
  • 0023627: [feature] Summary page enhancement with bugs ratio support (dregad)
  • 0011327: [reports] "Developer By Resolution" is the only box in the Summary page not ordered (at least it doesn't seem to be any logic behind it) (dregad)
  • 0022792: [api rest] Support downloading issue attachments (vboctor)
  • 0023943: [bugtracker] Improve detailed error page layout (dregad)
  • 0023944: [bugtracker] The stack trace on detailed error page should not include the error handler itself (dregad)
  • 0023930: [installation] Make Fileinfo a mandatory PHP extension (atrol)
  • 0023926: [ui] Footer displayed under sidebar on error page when $g_show_detailed_errors = ON (dregad)
  • 0023775: [attachments] Remove obsolete code that checks if PHP file info API is defined (vboctor)
46 issues View Issues
Released 2018-02-07

Bug fix and security release for 2.10.x series.

  • 0023924: [relationships] Resolving as duplicate does not add reporter and handler to monitoring list of duplicate issue (atrol)
  • 0023746: [api soap] unable to create a bug with customfields via SOAP (vboctor)
  • 0023765: [api rest] Wrong constructor name in class FilterConverter (atrol)
  • 0023906: [security] CVE-2018-6403: XSS in adm_config_report.php 'value' parameter (dregad)
4 issues View Issues
Released 2018-02-07

Security release for 1.3.x series.

  • 0023918: [security] CVE-2018-6403: XSS in adm_config_report.php 'value' parameter (dregad)
1 issue View Issues
Released 2017-12-30

Feature release

  • 0023710: [code cleanup] Remove usage of deprecated function __autoload (vboctor)
  • 0022789: [api rest] Support retrieving user defined filters (vboctor)
  • 0009007: [time tracking] Billing summary does not include sub-projects (community)
  • 0022790: [api rest] Support standard filters defined by the system when retrieving issues (vboctor)
  • 0023679: [administration] Limit change of impersonation threshold to global config (atrol)
  • 0023690: [api rest] Support deleting filters (vboctor)
  • 0023722: [time tracking] Don't print time tracking buttons and export links (community)
  • 0023723: [time tracking] Support configurable default billing rate (community)
  • 0023724: [time tracking] Removed useless collapse icon with duplicated title in billing report (community)
  • 0023742: [html] Broken url for MantisBT logo in admin section (community)
  • 0023753: [ui] UI of Update Produkt Build page broken (atrol)
11 issues View Issues
Released 2017-12-30

Bug fix release for 2.9.x series

  • 0021393: [administration] When disable "Update an issue", then "Assign to" become access denied (vboctor)
  • 0022093: [administration] Reporter can´t change status of a bug (vboctor)
  • 0023719: [administration] The reporter can not solve or close the issue (vboctor)
  • 0023721: [bugtracker] PHP error in change status page when user doesn't have access to private notes (vboctor)
4 issues View Issues
Released 2017-12-04

Feature release

  • 0012602: [custom fields] Default value for a date don't work (vboctor)
  • 0023573: [code cleanup] Unneeded code for option meta_include_file (atrol)
  • 0023640: [code cleanup] Usage of deprecated each() function (atrol)
  • 0023639: [code cleanup] Unneeded code for non supported old PHP versions (atrol)
  • 0023654: [api rest] Don't validate handler when updating issues without updating handler (vboctor)
  • 0023658: [plug-ins] UI for protected plugins broken (atrol)
  • 0023577: [api rest] REST APIs don't enforce required custom fields when reporting issues (vboctor)
  • 0023578: [documentation] Document need for consistency between "normal" and "datepicker" date formats (dregad)
  • 0019482: [custom fields] Using custom fields (date) with default value and required on resolve displays an error (vboctor)
  • 0023657: [api soap] mc_issue_update returns bug is read only on status update (atrol)
  • 0023653: [api rest] Leverage If-Match when updating issues (vboctor)
  • 0023650: [api rest] Leverage If-Match when deleting issues (vboctor)
  • 0023648: [api rest] Leverage ETag headers when getting issues (vboctor)
  • 0023645: [other] No preview of ANSI encoded text files that contain German Umlauts (atrol)
  • 0023630: [administration] Some check boxes on Manage Configuration > Workflow Threshold page are not centered (community)
  • 0023626: [performance] Unneeded code executed when retrieving global settings (atrol)
  • 0023625: [code cleanup] Function require_lib contains code to search in vendor folder (atrol)
  • 0023620: [api rest] PHP error on getting issues when user doesn't have access (vboctor)
  • 0023616: [api rest] Support exporting issue history (vboctor)
  • 0023594: [custom fields] Reporting an issue with default date {now} that is not visible doesn't work (vboctor)
  • 0023579: [api rest] Internal Server Error 500 when category doesn't exist (vboctor)
  • 0023575: [api rest] Category lookup is case sensitive (vboctor)
  • 0023572: [code cleanup] Unneeded code for unsupported database types (atrol)
  • 0023466: [db mysql] database is not supported by PHP. Check that it has been compiled into your server. (atrol)
  • 0023576: [api rest] Issues created via REST API with date custom fields fail (vboctor)
  • 0023692: [authentication] Token API does not work with config show show_realname (dregad)
26 issues View Issues
Released 2017-12-04

Bug fix and security release for 2.8.x series.

  • 0023599: [bugtracker] Access denied when updating bugs (atrol)
1 issue View Issues
Released 2017-12-04

Security release for 1.3.x series.

  • 0023561: [api soap] mc_project_get_issues_for_user() is retrieving issues in the authorization context of target user (vboctor)
1 issue View Issues
Released 2017-10-29

Feature release including fixes and new features including REST API issue updates and DKIM support for email signing. This release is the first to have REST API enabled by default.

  • 0023560: [bugtracker] Notes added via change status / edit always market private when private by default (vboctor)
  • 0021225: [bugtracker] resolving parent issues inconsistency (community)
  • 0023446: [performance] Unneeded files delivered if Mantis Graphs plugin is enabled (atrol)
  • 0023474: [custom fields] Empty numeric fields should be display as empty rather than 0 (community)
  • 0023555: [ui] Bugnote text area not styled correctly when private by default (vboctor)
  • 0023396: [api rest] REST API Issue update support (vboctor)
  • 0023488: [code cleanup] Usage of deprecated constant (atrol)
  • 0023517: [administration] Remove unused config option inline_file_exts (community)
  • 0023494: [html] Wrong class name for tags output (atrol)
  • 0023483: [bugtracker] Auto-refresh shouldn't update last visited (atrol)
  • 0023477: [api soap] Updating issues via APIs should trigger email notifications (vboctor)
  • 0023475: [custom fields] Empty float fields should be displayed as empty rather than 0 (community)
  • 0023460: [ui] Useless UI element on manage_proj_page (atrol)
  • 0023451: [performance] Unneeded code delivered to support unsupported IE9 (atrol)
  • 0013126: [plug-ins] Add plugin event EVENT_BUG_ACTIONGROUP_FORM (cproensa)
  • 0023493: [email] DomainKeys Identified Mail (DKIM) Signatures (community)
  • 0023503: [bugtracker] Handler user is visible even if view_handler_threshold is configured to not allow (cproensa)
  • 0023516: [api rest] Enable REST API by default (vboctor)
  • 0022842: [code cleanup] Remove php_version_at_least() function from PHP API (dregad)
  • 0023518: [bugtracker] "show_assigned_names" configuration is not applied correctly in view_all_bug_page (cproensa)
  • 0023528: [filters] Filter "advanced" mode is reset after sorting through column headers (cproensa)
  • 0023537: [api rest] Facilitate troubleshooting REST API by displaying detailed errors (dregad)
  • 0023543: [email] Update PHPMailer to v5.2.25 (vboctor)
  • 0023542: [code cleanup] Force composer to honor PHP compatibility advertised for MantisBT (vboctor)
  • 0022441: [bugtracker] Notes are not in the correct order after cloning an issue (cproensa)
  • 0016133: [custom fields] Numeric field accepts floats and displays them as numeric (vboctor)
26 issues View Issues
Released 2017-10-28

Maintenance release for 2.7 series.

  • 0023507: [authentication] Users can't change their password when it is blank (dregad)
  • 0023512: [html] Custom field type checkbox with required status, force to check all checkboxes to proceed (atrol)
  • 0023544: [installation] Unattended upgrade is broken after moving to Composer (vboctor)
3 issues View Issues
Released 2017-10-08

A feature release that includes both functional and performance improvements.

  • 0023378: [installation] Installation fails when using old but still allowed PHP version 5.3 (atrol)
  • 0022310: [html] Use HTML5 "required" attribute for required form fields (community)
  • 0023395: [db oracle] Performance issue reading config table with oracle database (cproensa)
  • 0009120: [custom fields] Numeric Custom fields on View All don't sort correctly (atrol)
  • 0023324: [performance] Generated css, js code should be cached by browser (cproensa)
  • 0023323: [reports] Wrong filter links on summary page (atrol)
  • 0023381: [code cleanup] Unneeded code for unsupported PHP versions (atrol)
  • 0023420: [relationships] Resolving as duplicate adds reporter and handler to monitoring list (atrol)
  • 0023225: [authentication] Token API does not work with config show show_realname (dregad)
  • 0022872: [ui] Make some buttons visible only when hovering on relevant container (cproensa)
  • 0023251: [timeline] Timeline in view user page resets the user id after dates navigation (cproensa)
  • 0023310: [performance] Unused CSS delivered (atrol)
  • 0023248: [ui] Project selection dropdown focus on current selection (cproensa)
  • 0023331: [code cleanup] New user_get_username() API function (dregad)
  • 0023242: [code cleanup] Function project_get_local_user_access_level() is redundant (cproensa)
  • 0023216: [tagging] Make tag view threshold work at project level (cproensa)
  • 0022871: [ui] print_form_button() does not render inline buttons (cproensa)
  • 0022870: [ui] buttons without separation (cproensa)
  • 0023267: [ui] Misplaced "Reset Prefs" button in user prefs with narrow screen (dregad)
  • 0021654: [code cleanup] Deprecate access_has_any_project() (cproensa)
  • 0023301: [api rest] Request an issue in the REST API fail without warning if an enumeration is missing. (community)
  • 0023264: [api rest] Custom fields not been saved when adding issue through the Rest API (community)
  • 0023311: [filters] "View issues" on changelog page does not show closed issues (atrol)
  • 0023268: [db oracle] Error filtering custom fields of type date (cproensa)
  • 0023382: [customization] Login logo image not configurable by css (cproensa)
  • 0023367: [plug-ins] Add no-op upgrade step in plugin_upgrade() (dregad)
  • 0022492: [ui] Regression: Resolved/Closed issues are not shown with a line-through (strike-through) (community)
  • 0023393: [administration] Provide some basic operating environment information on manage_overview_page (atrol)
  • 0022182: [ui] Burger menu is sometimes visible without functionality (cproensa)
  • 0023411: [performance] Unneeded string copies in general text processing (atrol)
  • 0023425: [reports] PHP errors and warnings when running Issue Trend report (atrol)
  • 0023377: [other] Textarea custom field entry missing from email (atrol)
  • 0023249: [feature] When logging the caller function, also print the class name if it's a class method (cproensa)
  • 0023436: [filters] Editing a stored filter can't update projects property (cproensa)
  • 0023443: [custom fields] Fixes related to custom fields on filters, columns and visibility (cproensa)
  •        0023266: [custom fields] Filter selection for numeric custom fields show values not coherent with custom field type (cproensa)
  •        0023265: [custom fields] Filter selection for numeric custom fields aren't sorted correctly on distinct values list (cproensa)
  •        0023260: [custom fields] Custom fields of type date are not sorted correctly (cproensa)
  •        0005713: [custom fields] Custom fields of subprojects are shown in filter for "All projects" but not in parent project. (cproensa)
  •        0023233: [custom fields] Issues returned by filter has linked custom fields that are not available as columns (cproensa)
  •        0023232: [filters] Custom field is showed in filter when the user has not view access (cproensa)
  •        0023223: [filters] Custom fields filter does not account for read access at project level (cproensa)
  •        0019385: [filters] Filtering custom field show bugs from projects where this custom field has been removed (cproensa)
  •        0016359: [filters] Custom field filters does not take user access rights into account (cproensa)
  •        0016358: [filters] Custom field filter does not recusrively read all items from sub-projects (cproensa)
  •        0006872: [custom fields] Sort of custom fields does not use data type (cproensa)
  • 0023243: [ui] Narrow space between checkbox/radio button and label (dregad)
  • 0023241: [filters] Error when changing sort order in filters, due date field only (cproensa)
  • 0022245: [ui] Collapsed menu entry no clickable in complete visible area (atrol)
  • 0022053: [plug-ins] Implement logging functionality for plugins (cproensa)
  • 0021913: [tagging] Unprivileged user can see related tags from private issues (cproensa)
51 issues View Issues
Released 2017-09-03

A feature release that includes both functional and performance improvements.

  • 0023202: [ui] Questionable order and functionality of top buttons on "View Issue" page (atrol)
  • 0022984: [ui] Calendar doesn't show the correct date the first time it opens (dregad)
  • 0023141: [html] Unused CSS delivered (atrol)
  • 0023116: [html] Due date field not displayed correctly when editing ticket (community)
  • 0023061: [ui] print_manage_menu() does not highlight active plugin pages (dregad)
  • 0022730: [ui] 'Manage Configuration' tab usually does not highlight (dregad)
  • 0022813: [customization] Field is appearing in email notification but not used in UI. (joel)
  • 0022987: [code cleanup] Replace hardcoded language strings by translatable ones (dregad)
  • 0022981: [ui] Display of hardcoded string on view_user_page if e-mail address is empty (atrol)
  • 0022967: [ui] Questionable display of "Access Denied" on view_user_page (atrol)
  • 0022940: [code cleanup] Update PHPMailer from 5.2.22 to 5.2.24 and use Composer (dregad)
  • 0023150: [html] Unused code and unused CSS delivered for obsoleted functionality (atrol)
  • 0023159: [ui] Graph display is too faint and blurred (atrol)
  • 0023087: [filters] Removing "Report an issue" permission removes user from Monitoring filter dropdown (atrol)
  • 0022939: [code cleanup] Use Parsedown library v1.6.2 via Composer (vboctor)
  • 0022913: [email] Update disposable-email-checker to v3.0.1 using Composer (vboctor)
  • 0012313: [attachments] Can't open image attachments in browser windows (dregad)
  • 0023237: [performance] Project cache is not efficient with navbar project selection. (cproensa)
  • 0023188: [bugtracker] Update GuzzleHttp from 6.2.3 to 6.3.0 (vboctor)
  • 0023189: [markdown] Update Parsedown 1.6.2 to 1.6.3 (vboctor)
  • 0023190: [code cleanup] Update PhpUnit from 4.8.35 to 4.8.36 (vboctor)
  • 0023191: [time tracking] Unable to access time tracking reports (atrol)
  • 0023187: [email] Update PHPMailer v5.2.23 to v5.2.24 (vboctor)
  • 0023184: [bugtracker] AJAX calls with invalid endpoints fail with syntax error (dregad)
  • 0023204: [performance] Unused and inefficient code in function layout_print_sidebar (atrol)
  • 0023227: [ui] When specifiying top_buttons display, the button on update screen has no styling. (atrol)
  • 0023145: [api rest] Support deleting notes via REST API (vboctor)
  • 0023144: [api rest] Support issue id as part of the path for REST API (vboctor)
  • 0023139: [api rest] Notes returned by /issues REST API have incorrect timestamps (vboctor)
  • 0023131: [api rest] /api/rest/projects doesn't return child projects (vboctor)
  • 0023112: [custom fields] Custom fields badly filtered when multi-projects (cproensa)
  • 0022919: [time tracking] Time Tracking "auto count" is giving the wrong elapsed time (dregad)
  • 0022158: [time tracking] Time tracking report excludes issues with no category assigned (cproensa)
  • 0023143: [api rest] Support adding notes via REST API (vboctor)
  • 0021807: [ui] The required fields are not explicitly visible when updating, resolving or closing an issue (community)
  • 0022469: [time tracking] Enabling Time Tracking distorts View Issue Details page layout. (cproensa)
  • 0022291: [time tracking] Issue history box is narrower than other boxes above it on View Issue page (cproensa)
  • 0021695: [ui] "notify user" check should be moved outside the form (cproensa)
  • 0012444: [bugtracker] bug_actiongroup_page, on copy, & move, poject combo lists projects wich the user has no rights (cproensa)
39 issues View Issues
Released 2017-09-03

Security fixes release for 2.5.x series.

  • 0023146: [security] CVE-2017-12061: XSS in /admin/install.php script (dregad)
  • 0023166: [security] CVE-2017-12062: XSS in manage_user_page.php (atrol)
  • 0023179: [security] Login page no longer warns about 'admin' directory being present (dregad)
  • 0023181: [administration] Checks on login page are never executed if "admin" dir does not exist (dregad)
  • 0023185: [security] Improve doc and notifications when admin dir is present (CVE-2017-12419) (dregad)
5 issues View Issues
Released 2017-09-03

Security fixes release for 1.3.x series.

  • 0023175: [security] CVE-2017-12061: XSS in /admin/install.php script (dregad)
  • 0023186: [security] Improve doc and notifications when admin dir is present (CVE-2017-12419) (dregad)
2 issues View Issues
Released 2017-06-17

Maintenance release that fixes installation failure.

  • 0022985: [installation] Initial installation does not continue after clicking install (dregad)
1 issue View Issues
Released 2017-06-04

Feature release with main focus on REST API improvements, some of the fixes also applies to the SOAP API.

  • 0022768: [api rest] Support retrieving issues based on filter or a project (vboctor)
  • 0022765: [api rest] Implement a test framework for REST API (vboctor)
  • 0022850: [ui] Installation page layout and style issues (dregad)
  • 0022774: [api rest] Some access denied errors don't show user info correctly (vboctor)
  • 0022808: [api rest] Use GuzzleHttp for http requests (vboctor)
  • 0022788: [api rest] Support retrieving projects accessible to users (vboctor)
  • 0022783: [api rest] Return 400 instead of server side error if summary, description or project fields are missing (vboctor)
  • 0022782: [api rest] Don't return target_version if user doesn't have access to view roadmap (vboctor)
  • 0022780: [api rest] Don't return platform, os, and os_build if disabled (vboctor)
  • 0022779: [api rest] Don't return profile information if feature disabled (vboctor)
  • 0022778: [api rest] Don't allow setting version to an undefined version (vboctor)
  • 0022777: [api rest] Don't return sponsorship_total (vboctor)
  • 0022776: [api rest] Sticky flag should be a boolean rather than a string (vboctor)
  • 0022775: [api rest] Rename date_submitted to created_at and last_updated to updated_at (vboctor)
  • 0022773: [api rest] Don't return projection info if feature is disabled (vboctor)
  • 0022772: [api rest] Don't return eta info if feature is disabled (vboctor)
  • 0022771: [api rest] Due date access check should be based on project access level rather than global one (vboctor)
  • 0022770: [api rest] Change version from string to an object (vboctor)
  • 0022769: [api rest] Note type should be note instead of timelog if time tracking is not accessible to user (vboctor)
  • 0022767: [api rest] Include status color in status enum value for issues (vboctor)
  • 0022766: [api rest] Enum name should reflect non-localized enum name and label for localized name (vboctor)
  • 0022905: [code cleanup] The URL of the return button in breadcrumbs div has a trailing '?' (dregad)
  • 0022868: [other] PHP variable misspelt in html_api.php (dregad)
  • 0022904: [db mssql] database_api: db_insert_id returns string not int (mssql) (dregad)
  • 0022933: [timeline] Confusing entry in timeline when removing other users from monitoring list (atrol)
  • 0022925: [time tracking] Time Tracking - issue (atrol)
  • 0022928: [administration] $g_anonymous_account is case sensitive, preventing normal users from logging in (vboctor)
  • 0021871: [performance] Improve db_fetch_array performance (cproensa)
  • 0022864: [code cleanup] phpdoc for 'print_link_button' has incorrect order of parameters (cproensa)
  • 0022865: [code cleanup] Login page displays a PHP system notice when using BASIC_AUTH (dregad)
  • 0022852: [localization] [de] Incorrect label in German "Change status" form (atrol)
  • 0022851: [installation] Installer should display sample table names based on table prefix/suffix settings (dregad)
  • 0022809: [api rest] Upgrade Slim Framework from 3.7.0 to latest (3.8.1) (vboctor)
  • 0021994: [attachments] issue with attachments cannot be moved between projects with different upload directories (uploads saved in file system) (dregad)
34 issues View Issues
Released 2017-06-04
  • 0022923: [authentication] Logout page on authentication plugins never gets called (community)
  • 0022926: [custom fields] Custom Fields - Date: Field does not show date (view.php), shows other text (vboctor)
  • 0022937: [custom fields] Custom fields of type Email are not properly displayed (vboctor)
  • 0022950: [custom fields] Custom Fields of Type Text showing Link (Url) as Text only (vboctor)
4 issues View Issues
Released 2017-05-20

MantisBT maintenance release for 2.4.x.

  • 0022428: [markdown] CSV and Excel exports with markdown on (vboctor)
  • 0022906: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
  • 0022909: [security] CVE-2017-7620: CSRF - Arbitrary Permalink Injection (dregad)
  • 0022867: [markdown] Markdown formatting is broken for notes column on View Issues page (vboctor)
4 issues View Issues
Released 2017-05-20

MantisBT maintenance release for 2.3.x

  • 0022907: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
  • 0022908: [security] CVE-2017-7620: CSRF - Arbitrary Permalink Injection (dregad)
2 issues View Issues
Released 2017-05-20

MantisBT maintenance and security release for 1.3.x.

  • 0020168: [db schema] Use of 'mantis' as plugin table prefix prevents plugin's installation (dregad)
  • 0022702: [security] CVE-2017-7620: CSRF - Arbitrary Permalink Injection (dregad)
  • 0022816: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
3 issues View Issues
Released 2017-04-30
  • 0022635: [time tracking] Empty notes with time tracking show as empty notes for users that can't view time tracking (vboctor)
  • 0022452: [ui] Create new project button (community)
  • 0021558: [ui] log destination for page produces messed output (syncguru)
  • 0022665: [documentation] Wrong documentation of option bug_resolution_fixed_threshold (atrol)
  • 0022689: [bugtracker] HTTP_X_FORWARDED_PROTO is not honored when loading Gravatar (vboctor)
  • 0022744: [signup] Signup is not working on (vboctor)
  • 0022740: [performance] Allowed memory size of 268435456 bytes exhausted (vboctor)
  • 0004235: [authentication] Support Generic Authentication through Plug-ins (vboctor)
  • 0022140: [administration] Getting error dialog when reporting issues and file upload is disabled (cproensa)
  • 0022673: [attachments] Dropzone uploads files when submitting other forms (cproensa)
  • 0022762: [api rest] Bug in error handling when user doesn't have access level to handle issue (vboctor)
11 issues View Issues
Released 2017-04-29
  • 0022742: [security] CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php) (dregad)
  • 0022743: [timeline] Timeline "More Events" button also acts as "Next" button (dregad)
  • 0022746: [authentication] Lost password redirects to login page if email address is empty and anonymous access is disabled (vboctor)
3 issues View Issues
Released 2017-04-16

Security and maintenance release

  • 0022700: [localization] Due Date in bug_change_status_page.php (cproensa)
  • 0022653: [filters] Regression: Filter by date broken (cproensa)
  • 0022739: [security] CVE-2017-7615: Account verification page allows resetting any user's password (dregad)
3 issues View Issues
Released 2017-04-16

Security release

  • 0022738: [security] CVE-2017-7615: Account verification page allows resetting any user's password (dregad)
1 issue View Issues
Released 2017-04-16

Security release

  • 0022690: [security] CVE-2017-7615: Account verification page allows resetting any user's password (dregad)
1 issue View Issues
Released 2017-03-31

Feature release including security fixes and our brand new experimental REST API. The REST API can be extended by plugins and power web UI ajax features. In this release the REST API is disabled by default (expect for calls from within the web UI using cookie authentication) – see 0022598 for more details.

  • 0022583: [attachments] Open PDFs in the browser rather than downloading them (vboctor)
  • 0022582: [relationships] Relationships box layout is not right for reporters (vboctor)
  • 0022585: [timeline] Show timeline for specific user (cproensa)
  • 0022507: [ui] On Edit Filter page, 'Filter name' input field is too narrow (dregad)
  • 0022445: [ui] Manage users page does not show filters '0'-'9' as selected (atrol)
  • 0022474: [administration] "Obsolete configuration" warnings when running admin checks (atrol)
  • 0022499: [documentation] Document reuse of language strings (dregad)
  • 0022501: [ui] Enhance layout of "View Issue Details" page (atrol)
  • 0022505: [ui] Enhance layout of "Updating Issue Information" (atrol)
  • 0022506: [attachments] Error updating project document (atrol)
  • 0022423: [html] ID attribute for bugnote_text (community)
  • 0022571: [html] Add ID attribute for bugnote_text textarea (community)
  • 0022548: [ui] Remove unnecessary 'center' class from textarea in bugnote edit page (community)
  • 0022541: [localization] Enhance wording in manage_config_email_page.php and manage_config_work_threshold_page.php pages (atrol)
  • 0022572: [documentation] Wrong default value in documentation of "g_show_version" (atrol)
  • 0022543: [ui] Open images in the browser rather than download them (vboctor)
  • 0021552: [ui] My account preferences: move project list outside the form (cproensa)
  • 0022473: [plug-ins] Avatars should respect image aspect ratio (community)
  • 0022590: [ui] Broken javascript and missing footer in My View Page (cproensa)
  • 0022593: [plug-ins] Broken Snippet plugin (vboctor)
  • 0022598: [api rest] REST API Framework (vboctor)
  •        0022599: [code cleanup] Use composer to pull in dependencies (vboctor)
  •        0022600: [api rest] Enable plugins to publish their own REST APIs (vboctor)
  •        0022601: [api rest] Support using REST API from Web UI Javascript (vboctor)
  •        0022602: [api rest] Provide a sandbox for interacting with REST API using Swagger UI (vboctor)
  • 0022617: [code cleanup] Unneeded CSS file calendar-blue.css (atrol)
26 issues View Issues
Released 2017-03-31

Security fixes and maintenance release

  • 0022555: [filters] Regression in custom field sorting (cproensa)
  • 0022545: [markdown] Markdown still converting '& amp;' to & and '& lt;' to < (dregad)
  • 0022392: [filters] Sorting all bugs list using a column header after applying a filter resets the filter (cproensa)
  • 0022496: [filters] Permalink does not work with "Note By" (cproensa)
  • 0022566: [filters] Filter error due to "view status" having an array value (cproensa)
  • 0022613: [security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
  • 0022615: [security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
  • 0022333: [markdown] Markdown starts heading in the middle of a line (joel)
8 issues View Issues
Released 2017-03-31

Security fixes release

  • 0022208: [db mssql] File upload to MS-SQL not working (dregad)
  • 0022063: [db mssql] Installation on MSSQL fails at step 209 (dregad)
  • 0022568: [security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
  • 0022579: [security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
4 issues View Issues
Released 2017-03-30

Security release

  • 0022612: [security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
  • 0022614: [security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
2 issues View Issues
Released 2017-03-21

Maintenance and Security release for 2.2 series

  • 0022562: [security] CVE-2017-6973: XSS in adm_config_report.php (dregad)
1 issue View Issues
Released 2017-03-21

Maintenance and Security release for 2.1 series

  • 0022564: [security] CVE-2017-6799: XSS in view_filters_page.php (dregad)
  • 0022565: [security] CVE-2017-6973: XSS in adm_config_report.php (dregad)
  • 0022563: [security] CVE-2017-6797: XSS in bug_change_status_page.php (dregad)
3 issues View Issues
Released 2017-03-21

Maintenance and Security release for 1.3 series

  • 0022537: [security] CVE-2017-6973: XSS in adm_config_report.php (dregad)
  • 0022468: [other] Resolution changes in some cases when closing issues (atrol)
2 issues View Issues
Released 2017-03-11

Maintenance release for 2.2 series including security fixes.

  • 0022246: [markdown] Markdown is converting '&' signs to (ampersand[amp;]) inside code block or backtick as well (joel)
  • 0022497: [security] CVE-2017-6799: XSS in view_filters_page.php (dregad)
  • 0022561: [security] CVE-2017-6797: XSS in bug_change_status_page.php (dregad)
  • 0022442: [printing] System error when opening Print reports (dregad)
  • 0022479: [administration] Can't edit a project's name changing only accents a on MySQL (dregad)
  • 0022510: [installation] Attempting to connect to database as admin BAD despite valid userid and password (dregad)
6 issues View Issues
Released 2017-02-26

A feature release that includes all fixes from 2.1.1 release listed above, some setup fixes, status colors visibility improvements, shed some unnecessary js/css and multiple improvements for relationships feature.

  • 0022363: [relationships] Setting a duplicate id should update relationship with target issue if already exists (vboctor)
  • 0021724: [ui] Improve visibility of status colors (syncguru)
  • 0021881: [javascript] Remove jquery-ui is not longer used in Modern UI (syncguru)
  • 0022256: [javascript] Unbundle JS libraris from Ace theme files (syncguru)
  • 0022401: [installation] Installer displays horizontal blue line under "Checking installation" section header (dregad)
  • 0022361: [relationships] Trigger notifications on related issues when an issue is deleted (vboctor)
  • 0022400: [installation] Installer does not show "GOOD" status for DB connections (dregad)
  • 0021796: [ui] inline attachments should be directly visible (dregad)
  • 0022273: [javascript] Enable CDN support for dropzone.js (syncguru)
  • 0022362: [relationships] Use bin icon instead of 'delete' button to delete relationships (vboctor)
  • 0022360: [relationships] relationship_add() doesn't return bug relationship information (vboctor)
  • 0022316: [code cleanup] Duplicate code to display the filter view type toggle menu item (dregad)
  • 0022296: [code cleanup] Options in $g_public_config_names are not sorted (atrol)
  • 0008313: [relationships] More work needs to move to Relationship APIs (vboctor)
  • 0021897: [ui] Unaligned color coding of status (syncguru)
  • 0021619: [code cleanup] Use constants instead of hardcoded values for filter view types (dregad)
  • 0016933: [relationships] Deleting relationship should set target bug's last updated (vboctor)
17 issues View Issues
Released 2017-02-26

A maintenance release for 2.1.x series

  • 0022302: [filters] Permalink does not work with tags (cproensa)
  • 0022266: [security] CVE-2017-7222: Sanitize window title (vboctor)
  • 0022288: [bugtracker] Due date current value doesn't show in change status form (syncguru)
  • 0022326: [time tracking] g_time_tracking_without_note has no effect (vboctor)
  • 0022347: [filters] Filter allows to sort on non sortable fields (cproensa)
  • 0022359: [ui] Enhance filter box UI (syncguru)
  • 0022369: [filters] Recently Modified box on View Issues page does not display closed issues (cproensa)
7 issues View Issues
Released 2017-02-01

Maintenance release for 2.0.x series.

  • 0022114: [tools] Travis builds should reflect supported PHP versions (dregad)
  • 0022107: [plug-ins] EVENT_MENU_MAIN does not support relative paths (dregad)
  • 0022157: [installation] Incorrect Error Message on MSSQL installation (atrol)
  • 0022168: [webpage] HTTPS for powered by-link (atrol)
  • 0022230: [news] PHP system notice on News page (vboctor)
5 issues View Issues
Released 2017-01-30

MantisBT 2.1.0 feature release

  • 0021935: [filters] Filter api refactoring, manage stored filters (cproensa)
  •        0006823: [filters] Date filter should work with "last update", too (community)
  •        0021618: [code cleanup] Duplicate code to determine the default view type (cproensa)
  •        0017852: [filters] Tags is showing on its own row in filter box (cproensa)
  •        0006732: [administration] Sorting issue lists isn't stable (each sort scrambles previous sort) (cproensa)
  •        0021827: [filters] Displaying date filter values : month always displayed in text (english) (community)
  •        0008626: [filters] Filter forgets custom date filtering (cproensa)
  •        0021592: [filters] Unknown column 'mantis_bug_table.tags' (cproensa)
  •        0021031: [filters] Rewrite the filter box form (cproensa)
  •        0021032: [filters] Setting $g_filter_custom_fields_per_row to other than default can cause empty cells in filter box (cproensa)
  •        0021044: [performance] my view page, $t_hide_status_default consitency (cproensa)
  •        0006551: [customization] Manage custom filters (cproensa)
  •        0021811: [filters] Advanced filter shows icorrect fields (cproensa)
  •        0007708: [feature] Feature: multiple sorting of problem informations (cproensa)
  •        0003803: [filters] Provide a way to update a saved filter (cproensa)
  •        0021029: [bugtracker] Trigering a DEPRECATED error from the page body fails (cproensa)
  •        0020882: [filters] Filter by date inputs are shown disabled (cproensa)
  •        0020624: [filters] Filter shown inconsistent after changing from advanced to simple (cproensa)
  •        0020493: [filters] Wrong hide_status value on column sorting (cproensa)
  •        0006042: [filters] Switching to "Advanced Filters" hides "Hide Status" and ignores setting (cproensa)
  •        0011007: [filters] After setting $g_view_filters = ADVANCED_ONLY in config_inc.php can still end up in simple filter mode. (cproensa)
  •        0021814: [filters] plugin filter fields dont work with dynamic input (cproensa)
  •        0019700: [filters] Filters table on the view_all_bug_page.php shows empty lines when $g_enable_profiles is set to OFF (cproensa)
  •        0018045: [ui] Changed ordering of fields on View Issues page (cproensa)
  •        0009301: [filters] Add support for updating a current filter (cproensa)
  •        0009213: [filters] manage filter (cproensa)
  • 0022175: [markdown] Markdown converting '<' within backticks to & lt; (joel)
  • 0005731: [feature] search function for projects (vboctor)
  • 0021551: [administration] Manage Users pagination loses filter letter (community)
  • 0022209: [bugtracker] Adding a custom field to a project makes the filter for this project unusable (atrol)
  • 0022172: [markdown] Markdown not displaying single line breaks (joel)
  • 0022164: [markdown] Font for quoted string in markdown is too large (joel)
  • 0011604: [change log] Versions marked as obsolete appear on change log page (vboctor)
  • 0022221: [documentation] Documentation: update 'Database tables' section (dregad)
  • 0022232: [email] Email verbose notifications should be OFF by default (vboctor)
  • 0022206: [plug-ins] Improve documentation for plugins (dregad)
  • 0022205: [plug-ins] Specifying plugin authors as array triggers 'Array to string conversion' (dregad)
  • 0022204: [markdown] News headlines are parsed with markdown, though they should not be (vboctor)
  • 0022179: [markdown] Markdown is eating apostrophe / single quote (joel)
  • 0022237: [code cleanup] Remove references to 'register_globals' (dregad)
  • 0022239: [ui] checkbox for personal setting "E-mail Full Issue Details" still using old style (dregad)
  • 0022171: [plug-ins] Redefine plugin version requirements (dregad)
  • 0022169: [attachments] File upload not working when $g_allowed_files is set (atrol)
  • 0022113: [localization] integration updates (dregad)
  • 0022131: [timeline] Remove yellow background in timeline date range (dregad)
  • 0017920: [markdown] Native markdown support (joel)
46 issues View Issues
Released 2016-12-30
  • 0021841: [installation] Minimum requirements for 2.x releases (dregad)
  • 0020040: [security] Replace jscalendar by a newer widget (syncguru)
  • 0022059: [ui] Missing leading zeroes in due date display (dregad)
  • 0021927: [administration] System utilities page for moving attachments should support move all attachments (joel)
  • 0021925: [ui] Incorrect text for the remove file button in the file upload dropzone (dregad)
  • 0021965: [documentation] Section Admin Guide: Misaligned row in Table (dregad)
  • 0022064: [javascript] datetime picker does not work if 'cdn_enabled' is ON (community)
  • 0021962: [ui] Due Date calendar icon wraps below the field (syncguru)
8 issues View Issues
Released 2016-11-26

The second release candidate for 2.0.0 release. This release includes all the fixes in 1.3.4 release.

  • 0021758: [administration] System utilities page for moving attachments not styled correctly in modern ui (joel)
  • 0021840: [html] Add missing closing <div> in layout_api.php (syncguru)
  • 0021854: [authentication] Re-authenticating when visiting manage page should re-use login page (vboctor)
  • 0021861: [ui] Remove black bar from login page when it is empty (vboctor)
  • 0021815: [code cleanup] print_button() has changed definition from v1.3 (cproensa)
5 issues View Issues
Released 2016-10-30

We are excited to share with you a milestone for the 2.0.0 release by releasing the first release candidate. We encourage users to try out and give us feedback. Since 2.0.0-rc.1 and 1.3.3 share the same database schema, it should be easy to try them out side by side. Download it now or check it out at

  • 0021727: [attachments] Show attachments inline with notes (vboctor)
  • 0021651: [security] Dropzone has inline scripts in View Issue page (syncguru)
  • 0021806: [attachments] Attachment dropzone missing from notes when user doesn't have access to set view state (vboctor)
  • 0021829: [email] Fix $g_mail_priority disabling and default to disabled (vboctor)
  • 0021669: [security] Charts have inline scripts (syncguru)
  • 0021715: [mobile] Menu and buttons missing for mid size browser window (syncguru)
  • 0021722: [attachments] Issues with '+' button to view attachments inline (dregad)
  • 0021736: [ui] Display real name in breadcrumb div (atrol)
  • 0021743: [attachments] Attach files dropzone is not working (vboctor)
  • 0021754: [mobile] Main navigation has no action / does not expand when clicked on (syncguru)
  • 0021794: [mobile] Hide 'View Issues' buttons on small screens (syncguru)
  • 0021805: [javascript] Javascript errors on login page (community)
12 issues View Issues
Released 2016-10-02
  • 0020102: [ui] Support switching saved filters and free text search when filter box is collapsed (syncguru)
  • 0021697: [ui] Clearer distinction between private and public notes (joel)
  • 0021684: [ui] Account verify page layout broken (joel)
  • 0021121: [ui] Project selection not usable with large number of projects (syncguru)
  • 0021681: [ui] Breadcrumbs bar does not respect $g_show_realname (dregad)
  • 0021603: [code cleanup] Publish full source code of ACE template (syncguru)
  • 0021653: [reports] Graphs broken (vboctor)
  • 0021682: [ui] "Operation successful" confirmation message partially hidden (dregad)
  • 0021683: [ui] Standardize "operation successful" messages (dregad)
  • 0021689: [code cleanup] Obsolete icon_path configuration (atrol)
  • 0021710: [ui] Incorrect display on Bug report confirmation page (dregad)
  • 0021704: [ui] Report Stay checkbox shows broken layout on action page (dregad)
  • 0021721: [ui] Missing tooltips on issue id (dregad)
  • 0021723: [bugtracker] Redirect to report page when creating a new issue with "report stay" checked (dregad)
  • 0021726: [ui] Page bottom displayed behind Sidebar in API Tokens page (community)
  • 0021728: [performance] Unneeded tooltip information on Summary page (dregad)
16 issues View Issues
Released 2016-08-27
  • 0021642: [ui] Highlight due date when the date has passed (syncguru)
  • 0021112: [performance] Unneeded tooltip information on "My View" page (syncguru)
  • 0021650: [security] Content-Security-Policy is disabled in 2.0.0-beta.1 (vboctor)
  • 0021414: [customization] Config menu options don't show in main menu (vboctor)
  • 0021111: [localization] Language strings contain double quotes (syncguru)
  • 0021647: [filters] New to restyle 'filter deleted' page (vboctor)
  • 0021644: [ui] Don't offer "My Account" in menu when being logged in as protected user (dregad)
  • 0021114: [ui] Manage users page action buttons appears on 2 rows when showing 'Unused' (syncguru)
  • 0021638: [ui] Tables in Workflow Transitions page seems deformed (syncguru)
  • 0021622: [administration] Alert messages are not styled correctly (syncguru)
  • 0021609: [news] Page broken after updating news (atrol)
  • 0021602: [administration] Admin: "Upgrade your installation" shown even when schema is up-to-date (syncguru)
  • 0021599: [ui] The test results in Admin Check results are no longer colored (dregad)
  • 0021575: [reports] Graphs for enums (e.g. status) can break when an enum has 0 occurences (vboctor)
  • 0021117: [ui] Plugin dependencies are no longer color-coded (syncguru)
  • 0021405: [wiki] Wiki integration broken (vboctor)
  • 0021400: [ui] Collapse settings are not saved by modern UI (syncguru)
  • 0021398: [ui] My Account - Manage Columns actions page broken (syncguru)
  • 0021397: [plug-ins] Plugin menu options don't show in main menu (vboctor)
  • 0021224: [ui] Login and Signup buttons in top header don't work for anonymous users (vboctor)
  • 0021223: [ui] "Report Issue" button on top toolbar should be hidden for VIEWER/anonymous users (vboctor)
  • 0021139: [ui] Display of file type icon broken on print_bug_page (syncguru)
  • 0021137: [ui] Questionable display of sub-projects in project menu bar (syncguru)
  • 0021123: [ui] Waste of vertical space on "My View" page (syncguru)
  • 0021119: [ui] Wrong alignment of field on "Summary" page (syncguru)
25 issues View Issues
Released 2016-07-19

MantisBT 2.0.0 release focuses on improvements to the UI compared to 1.3.x release. As of this release, the db schema is the same between 1.3.x and 2.0.0-beta.1, enabling users to easily try 2.0.0-beta.1 and provide feedback.

  • 0021214: [bugtracker] Update jQuery to 2.2.4 (community)
  • 0020240: [ui] Footer issue: problem + solution (syncguru)
  • 0008503: [feature] Have "send reminder" as a button rather than a not so visible link at the top of the issue (atrol)
  • 0021115: [ui] Manage users page always shows filter '0' as selected (dregad)
  • 0021140: [db schema] Remove DB2 support (atrol)
  • 0020907: [ui] Report stay doesn't work in modern UI (vboctor)
  • 0013879: [reports] Graph plugin uses hard coded font list; ignores any other (vboctor)
  • 0021177: [reports] Jpgraph doesn't work (vboctor)
  • 0021134: [relationships] Use of undefined constant when displaying relationship graphics (atrol)
  • 0005851: [reports] X-Labels truncated in by Category Graph (vboctor)
  • 0017493: [reports] Graphs are not working out of the box (vboctor)
  • 0015246: [reports] JPGraph 3.5.x anti aliasing error in Ubuntu (vboctor)
  • 0014232: [reports] Advanced summary bad display (vboctor)
  • 0013160: [reports] Labels on x-axis in summary graphs too small and cropped (ezcLibrary) (vboctor)
  • 0012967: [reports] Category jpGraph not displayed (vboctor)
  • 0006663: [reports] I'm seeing three JPGraph-related problems (vboctor)
  • 0007342: [reports] synthesis graphs by category: many "big" categories hide pie by legend (vboctor)
  • 0007343: [reports] synthesis graphs by category: page not long enough for legend with a lot of categories (vboctor)
  • 0007991: [reports] Graphs not centered (vboctor)
  • 0010403: [reports] The legend on JPGraph graphs overlays the graph (vboctor)
  • 0012159: [reports] By Developer, By Reporter and By date graph problems (vboctor)
  • 0012384: [reports] Graph text being truncated (vboctor)
  • 0012483: [reports] Jp graph not dispalying (vboctor)
  • 0012725: [reports] Solution to "font file not readable/does not exist" seems not to work for JPGraph (vboctor)
  • 0012825: [reports] Modern graphs using javascript graphing library (vboctor)
  • 0013097: [reports] Graphs not working (vboctor)
  • 0021220: [ui] Lost password form doesn't have labels or placeholder text (vboctor)
  • 0021221: [ui] Fully localize drag and drop to attach (community)
  • 0021217: [bugtracker] Use cross origin anonymous and check integrity when loading form CDN (community)
  • 0021216: [bugtracker] Upgrade Bootstrap to 3.3.6 (community)
  • 0021222: [ui] Drag and drop should honor 'allowed_files' config option (community)
  • 0021215: [bugtracker] Update FontAwesome to 4.6.3 (community)
  • 0017919: [ui] Modernize Mantis UI (syncguru)
  • 0021131: [signup] Usage of undefined functions in verify.php (vboctor)
  • 0021130: [tagging] Usage of undefined function html_page_bottom (syncguru)
  • 0020182: [custom fields] wrong field name for custom field parameter (syncguru)
  • 0020118: [ui] pen icon ancient (syncguru)
  • 0020286: [javascript] Missing JavaScript libraries (syncguru)
  • 0011671: [reports] 3 graphs couldnot display in the page of 'summary_jpgraph_page.php' (vboctor)
  • 0019590: [attachments] Attach via drag-and-drop (syncguru)
  • 0021279: [administration] Fix error when going to Manage - Workflow Transitions and clicking update (vboctor)
41 issues View Issues