Mantis 2.26.4
3 October 2024
Mantis version 2.26.4 is now available (security release).
Upgrading to Mantis 2.26.4
Mantis 2.26.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Mantis updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Mantis install to test the 2.26.4 upgrade prior to applying it live. Get started managing your Mantis installations with Installatron
What's New in Mantis 2.26.4
Maintenance and security release addressing an information disclosure vulnerability (CVE-2024-45792) and a regression introduced by 2.26.3 on Manage Projects Page, as well as several bug fixes.
Security
- [security] CVE-2024-45792: Insecure Direct Object References vulnerability with user profiles (dregad)
Bug Fixes and Changes
- [other] Non-existing issue number does not throw a 404 in the UI (dregad)
- [sub-projects] 'INTERNAL APPLICATION ERROR' editing some projects from manage_proj_page.php (atrol)
- [api soap] mc_issue_add fails with "Object of class SoapFault could not be converted to int" (dregad)
- [bugtracker] Can not set full URL to $g_manual_url in config_inc.php (dregad)
- [administration] Disabled projects are not listed on page manage_proj_page.php (dregad)
- [bugtracker] Incorrect usage of lang_get_defaulted() for an URL (dregad)
- [api rest] REST POST /issues allows creation of Issue when invalid Category is specified (dregad)
- [api soap] SOAP API throwing deprecation warning on PHP 8.1 (dregad)