Mantis 2.26.3
4 September 2024
Mantis version 2.26.3 is now available (security release).
Upgrading to Mantis 2.26.3
Mantis 2.26.3 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Mantis updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Mantis install to test the 2.26.3 upgrade prior to applying it live. Get started managing your Mantis installations with Installatron
What's New in Mantis 2.26.3
Security
- [security] CVE-2024-34081: Unsanitised custom field names printed (dregad)
- [security] CVE-2024-34080: Don't hyperlink references to notes whose issues are not accessible to user (vboctor)
- [security] CVE-2024-34077: Account Takeover in Password Reset and Account Registration Feature (dregad)
- [security] Update corejs-typeahead.js library to 1.3.4 (dregad)
2.26.3
Bug Fixes and Changes
- [html] Wrong display of some column titles on "View Issues" page (dregad)
- [relationships] Relationship Graphs show/hide flag is not persistent (dregad)
- [relationships] Truncated HTML entities shown in Relationship Graph nodes' Issue summary (dregad)
- [filters] Sorting by "overdue" column does not work if "due_date" is not visible (dregad)
- [api rest] Resetting version fields to empty is not possible (dregad)
- [ui] Better icon for "overdue" column (dregad)
- [api rest] REST API GET /filters/{ID} returns empty array when ID does not exist (dregad)
- [code cleanup] Duplicated code in admin/check_api.php (dregad)
- [db mysql] Using MySQL 8.4 gives warning in admin checks (dregad)
- [api rest] REST API GET /issues endpoint returns HTML if given filter_id is not found (dregad)
- [ldap] ldap_simulation_get_user() does not return null when given non-string username (dregad)
- [administration] The "realname" field is cleared after a user is updated. (dregad)
- [performance] Bad performance when editing a project having a lot of subprojects (community)
- [code cleanup] CSP img-src has a duplicate 'self' value (dregad)
2.26.2
Bug Fixes and Changes
- [bugtracker] Failed opening core.php in timeline_inc.php on PHP 8.2 / IIS (dregad)
- [documentation] MantisGraph: document usage of EVENT_MANTISGRAPH_SUBMENU (dregad)
- [code cleanup] MantisGraph: fix deprecated warnings in javascript (dregad)
- [html] Incorrect handling of HTML hexadecimal character references &#xNNN; (dregad)
- [code cleanup] Deprecated warning when updating Issue with null checkbox Custom Field (dregad)
- [excel] Excel error when opening exported issues with custom field with special characters (dregad)
- [bugtracker] Issue note links don't reflect if issue is resolved (vboctor)
- [api rest] REST API error reports incorrect field "version" when updating fixed in / target version with invalid value (dregad)
- [other] Internal server error on view_user_page (atrol)
- [bugtracker] Target Version does not respect GET or POST value when reporting issue (dregad)
- [bugtracker] Proceed button is shown twice when redirecting with pending errors (dregad)
- [api rest] REST API: "String not found" warning when adding note with invalid view_state (dregad)
- [api rest] Adding issue note with REST API returns HTTP 500 when given view_state is invalid (dregad)
- [filters] Filter "assigned to" and "monitor by" shows <br /> between the users when selecting multiple (advanced filtering) (dregad)
- [code cleanup] Deprecated creation of dynamic properties in BugData class (dregad)