mantisbt - Change Log

mantisbt - 2.24.4

Released 2020-12-30
View Issues2.24.4mantisbt

Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues' contents. All installations are strongly advised to upgrade as soon as possible.

Many thanks to randomdhiraj, ethicalhcop and d3vpoo1 (https://gitlab.com/jrckmcsb), for identifying and responsibly reporting these security issues.

This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.

  • 0020690: [bugtracker] inconsistent UI for view bugnote revision (dregad)
  • 0027370: [security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary (dregad)
  • 0027361: [security] Private category can be access/used by a non member of a private project (IDOR) (dregad)
  • 0027357: [security] Attacker can leak private information via different functionality (dregad)
  •        0027726: [security] CVE-2020-29603: Disclosure of private project name (dregad)
  •        0027728: [security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments (dregad)
  •        0027727: [security] CVE-2020-29605: Disclosure of private issue summary (dregad)
  • 0027779: [security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls (dregad)
  • 0026794: [security] User Account - Takeover (dregad)
  • 0027363: [security] Fixed in version can be changed to a version that doesn't exist (dregad)
  • 0027350: [security] When updating an issue, a Viewer user can be set as Reporter (dregad)
  • 0027495: [security] CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP. (dregad)
  • 0027806: [bugtracker] Impossible to edit issues with PHP8 (dregad)
  • 0027799: [bugtracker] Adapt Error handler to PHP 8 (dregad)
  • 0027704: [javascript] Javascript error in View Issues page (dregad)
  • 0027465: [code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8 (atrol)
  • 0027464: [printing] print_manage_user_sort_link Function Parameter Required after Optional (atrol)
  • 0027444: [security] Printing unsanitized user input in install.php (atrol)
18 issues View Issues