Released 2020-12-30

Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues' contents. All installations are strongly advised to upgrade as soon as possible.

Many thanks to randomdhiraj, ethicalhcop and d3vpoo1 (, for identifying and responsibly reporting these security issues.

This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.

  • 0027361: [security] Private category can be access/used by a non member of a private project (IDOR) (dregad)
  • 0027357: [security] Attacker can leak private information via different functionality (dregad)
  •        0027728: [security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments (dregad)
  •        0027726: [security] CVE-2020-29603: Disclosure of private project name (dregad)
  •        0027727: [security] CVE-2020-29605: Disclosure of private issue summary (dregad)
  • 0027779: [security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls (dregad)
  • 0026794: [security] User Account - Takeover (dregad)
  • 0027363: [security] Fixed in version can be changed to a version that doesn't exist (dregad)
  • 0027350: [security] When updating an issue, a Viewer user can be set as Reporter (dregad)
  • 0027370: [security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary (dregad)
  • 0027495: [security] CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP. (dregad)
  • 0027806: [bugtracker] Impossible to edit issues with PHP8 (dregad)
  • 0020690: [bugtracker] inconsistent UI for view bugnote revision (dregad)
  • 0027799: [bugtracker] Adapt Error handler to PHP 8 (dregad)
  • 0027704: [javascript] Javascript error in View Issues page (dregad)
  • 0027465: [code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8 (atrol)
  • 0027464: [printing] print_manage_user_sort_link Function Parameter Required after Optional (atrol)
  • 0027444: [security] Printing unsanitized user input in install.php (atrol)
18 issues View Issues