mantisbt - Change Log

mantisbt - 2.27.2

Released 2025-11-01
View Issues2.27.2mantisbt

Maintenance and security release addressing 4 vulnerabilities, fixing several bugs and including a few minor improvements, Many thanks to Harry Sintonen / Reversec for CVE-2025-47776 (GHSA-4v8w-gg5j-ph37), Mazen Mahmoud for CVE-2025-46556 (GHSA-r3jf-hm7q-qfw5), Chaitanya Reddy for CVE-2025-55155 (GHSA-q747-c74m-69pr) and d3vpoo1 for CVE-2025-62520 (GHSA-g582-8vwr-68h2).

  • 0036353: [attachments] When dropzone file upload finishes, progress bar keeps spinning (dregad)
  • 0036303: [attachments] Uploading a file when $g_antispam_max_event_count has been reached causes Dropzone to display HTML code (dregad)
  • 0036005: [security] CVE-2025-55155: Lack of verification when changing a user's email address (dregad)
  • 0035906: [db schema] Update ADOdb to 5.22.10 (dregad)
  • 0036540: [bugtracker] Introduce a maximum PHP version (dregad)
  • 0035915: [administration] Updating a global config yields incorrect error message (dregad)
  • 0035893: [security] CVE-2025-46556: Denial-of-Service (DoS) via Excessive Note Length (dregad)
  • 0036164: [administration] Impossible to delete a global config defined in the database (dregad)
  • 0035668: [api rest] can't change issue category to "no category" via rest api (dregad)
  • 0036269: [bugtracker] Collapsed status for "Users monitoring" section is not persisted (dregad)
  • 0036265: [feature] Search with collapsed filter section expands it (dregad)
  • 0036263: [administration] Error editing categories with PostgreSQL: APPLICATION ERROR 401 (dregad)
  • 0036515: [administration] Hardcoded role instead of config in access level check on Manage Columns page (dregad)
  • 0036542: [bugtracker] When editing a bugnote, a newline is appended to the text (dregad)
  • 0036512: [other] Access Denied page returns HTTP status 200 (dregad)
  • 0035854: [tools] PHPUnit assertObjectHasAttribute() method is deprecated (dregad)
  • 0035853: [tools] PHPUnit tests RestFiltersTest fail when anonymous access is disabled (dregad)
  • 0035852: [api rest] REST API GET /filters throws deprecation warning on PHP 8.1 (dregad)
  • 0036503: [bugtracker] Ability to change the default project of a user (dregad)
  • 0036257: [bugtracker] Deleted notes not showing in bug history (dregad)
  • 0036535: [code cleanup] Custom Field admin checks refactoring (dregad)
  • 0021675: [ui] Incorrect positioning of "View Issue Details" when recalled from "Direct link to note" (dregad)
  • 0035967: [authentication] CVE-2025-47776: Authentication bypass for some passwords due to PHP type juggling (dregad)
  • 0036502: [security] CVE-2025-62520: Ability to copy private project configurations (Columns) (atrol)
24 issues View Issues