MantisBT: master-2.27 e9119c68

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.27 2025-10-31 03:56 master-2.27 c048bf83
Affected Issues  0035893: CVE-2025-46556: Denial-of-Service (DoS) via Excessive Note Length
Changeset

Restrict size of textarea fields

A lack of server-side validation for note length in MantisBT allows
attackers to permanently corrupt issue activity logs by submitting
extremely long notes. Once such a note is added:

  • The entire activity stream becomes unviewable (UI fails to render).
  • New notes cannot be displayed, effectively breaking all future
    collaboration on the issue.

Fixes 0035893, CVE-2025-46556, GHSA-r3jf-hm7q-qfw5
mod - account_prof_edit_page.php Diff File
mod - account_prof_menu_page.php Diff File
mod - admin/check/check_customfields_inc.php Diff File
mod - admin/check/index.php Diff File
mod - bug_actiongroup_add_note_inc.php Diff File
mod - bug_actiongroup_page.php Diff File
mod - bug_change_status_page.php Diff File
mod - bug_reminder_page.php Diff File
mod - bug_report_page.php Diff File
mod - bug_update_page.php Diff File
mod - bugnote_add_inc.php Diff File
mod - bugnote_edit_page.php Diff File
mod - bugnote_update.php Diff File
mod - config_defaults_inc.php Diff File
mod - core/bug_api.php Diff File
mod - core/bugnote_api.php Diff File
mod - core/cfdefs/cfdef_standard.php Diff File
mod - core/commands/IssueAddCommand.php Diff File
mod - core/constant_inc.php Diff File
mod - core/custom_field_api.php Diff File
mod - core/helper_api.php Diff File
mod - core/profile_api.php Diff File
mod - docbook/Admin_Guide/en-US/config/html.xml Diff File
mod - lang/strings_english.txt Diff File
mod - manage_custom_field_edit_page.php Diff File
mod - tests/rest/RestBase.php Diff File
add - tests/rest/RestIssueNotesTest.php Diff File
mod - tests/rest/RestIssueTest.php Diff File
mod - tests/soap/IssueAddTest.php Diff File
mod - tests/soap/IssueNoteTest.php Diff File
mod - tests/soap/SoapBase.php Diff File