MantisBT 1.2.16 released

Global announcements, rules, administrative notes, etc.

Moderators: Contributor, Developer

Post Reply
Site Admin
Posts: 7526
Joined: Mar 26, 2008 4:37 pm
Location: Germany

MantisBT 1.2.16 released

Post by atrol » Feb 08, 2014 4:32 am

MantisBT 1.2.16 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

Unfortunately we introduced a regression .
Don't use this version if you use the news feature of MantisBT or apply the small change that is mentioned in the issue.

The following security issues were resolved:

Cross-site scripting (XSS) issue in account_sponsor_page.php, allowing a malicious user with project manager access to execute arbitrary JavaScript code (CVE-2013-4460). Affects MantisBT 1.1.0 and later. Refer to issue for detailed information.

SQL injection attacks through the SOAP API’s mc_attachment_get() function (CVE-2014-1608). Affects MantisBT 1.1.0a4 and later. Refer to issue for detailed information.

Additional cases of unsanitized SQL query parameters usage were identified, potentially allowing SQL injection attacks (CVE-2014-1609). Refer to issue for detailed information.

This release also includes many bug fixes and enhancements to the tracker and the SOAP api, as well as updated translations in many languages.

A full changelog can be found at: ... ion_id=183

The release can be downloaded from ... le/1.2.16/
Please use Search before posting and read the Manual

Post Reply