Mantis 2.24.4
29 January 2021
Mantis version 2.24.4 is now available (security release).
Upgrading to Mantis 2.24.4
Mantis 2.24.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Mantis updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Mantis install to test the 2.24.4 upgrade prior to applying it live. Get started managing your Mantis installations with Installatron
What's New in Mantis 2.24.4
Security
- [security] Private category can be access/used by a non member of a private project (IDOR)
- [security] Attacker can leak private information via different functionality
- [security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments
- [security] CVE-2020-29605: Disclosure of private issue summary
- [security] CVE-2020-29603: Disclosure of private project name
- [security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls
- [security] User Account - Takeover
- [security] Fixed in version can be changed to a version that doesn't exist
- [security] When updating an issue, a Viewer user can be set as Reporter
- [security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
- [security] CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
Changes
- [bugtracker] inconsistent UI for view bugnote revision
- [security] Printing unsanitized user input in install.php
- [printing] print_manage_user_sort_link Function Parameter Required after Optional
- [code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8
- [javascript] Javascript error in View Issues page
- [bugtracker] Adapt Error handler to PHP 8
- [bugtracker] Impossible to edit issues with PHP8