Released 2024-05-11

Security and maintenance release addressing several vulnerabilities (CVE-2024-34077, CVE-2024-34080 and CVE-2024-34081; refer to the corresponding Issues for details). It also resolves a few PHP 8.x compatibility issues, as well as a few other bugs.
All installations are strongly advised to upgrade as soon as possible

  • 0034432: [security] CVE-2024-34081: Unsanitised custom field names printed (dregad)
  • 0033906: [bugtracker] Failed opening core.php in timeline_inc.php on PHP 8.2 / IIS (dregad)
  • 0034008: [documentation] MantisGraph: document usage of EVENT_MANTISGRAPH_SUBMENU (dregad)
  • 0034006: [code cleanup] MantisGraph: fix deprecated warnings in javascript (dregad)
  • 0034393: [html] Incorrect handling of HTML hexadecimal character references &#xNNN; (dregad)
  • 0034439: [code cleanup] Deprecated warning when updating Issue with null checkbox Custom Field (dregad)
  • 0034441: [excel] Excel error when opening exported issues with custom field with special characters (dregad)
  • 0034435: [bugtracker] Issue note links don't reflect if issue is resolved (vboctor)
  • 0034434: [security] CVE-2024-34080: Don't hyperlink references to notes whose issues are not accessible to user (vboctor)
  • 0034433: [security] CVE-2024-34077: Account Takeover in Password Reset and Account Registration Feature (dregad)
  • 0034417: [security] Update corejs-typeahead.js library to 1.3.4 (dregad)
  • 0034410: [api rest] REST API error reports incorrect field "version" when updating fixed in / target version with invalid value (dregad)
  • 0034399: [other] Internal server error on view_user_page (atrol)
  • 0012956: [bugtracker] Target Version does not respect GET or POST value when reporting issue (dregad)
  • 0034404: [bugtracker] Proceed button is shown twice when redirecting with pending errors (dregad)
  • 0034359: [api rest] REST API: "String not found" warning when adding note with invalid view_state (dregad)
  • 0034348: [api rest] Adding issue note with REST API returns HTTP 500 when given view_state is invalid (dregad)
  • 0034018: [filters] Filter "assigned to" and "monitor by" shows <br /> between the users when selecting multiple (advanced filtering) (dregad)
  • 0034106: [code cleanup] Deprecated creation of dynamic properties in BugData class (dregad)
19 issues View Issues