In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X and retweet to spread the word!
Go ahead and download the release from our website.
MantisBT 2.26.2
Security and maintenance release addressing several vulnerabilities (CVE-2024-34077, CVE-2024-34080 and CVE-2024-34081; refer to the corresponding Issues below for details).
It also resolves a few PHP 8.x compatibility issues, as well as a few other bugs.
All installations are strongly advised to upgrade as soon as possible.
- 0033906: [bugtracker] Failed opening core.php in timeline_inc.php on PHP 8.2 / IIS (dregad)
- 0034008: [documentation] MantisGraph: document usage of EVENT_MANTISGRAPH_SUBMENU (dregad)
- 0034006: [code cleanup] MantisGraph: fix deprecated warnings in javascript (dregad)
- 0034393: [html] Incorrect handling of HTML hexadecimal character references
&#xNNN;
(dregad) - 0034439: [code cleanup] Deprecated warning when updating Issue with null checkbox Custom Field (dregad)
- 0034441: [excel] Excel error when opening exported issues with custom field with special characters (dregad)
- 0034435: [bugtracker] Issue note links don’t reflect if issue is resolved (vboctor)
- 0034434: [security] CVE-2024-34080: Don’t hyperlink references to notes whose issues are not accessible to user (vboctor)
- 0034433: [security] CVE-2024-34077: Account Takeover in Password Reset and Account Registration Feature (dregad)
- 0034432: [security] CVE-2024-34081: Unsanitised custom field names printed (dregad)
- 0034417: [security] Update corejs-typeahead.js library to 1.3.4 (dregad)
- 0034410: [api rest] REST API error reports incorrect field “version” when updating fixed in / target version with invalid value (dregad)
- 0034399: [other] Internal server error on view_user_page (atrol)
- 0012956: [bugtracker] Target Version does not respect GET or POST value when reporting issue (dregad)
- 0034404: [bugtracker] Proceed button is shown twice when redirecting with pending errors (dregad)
- 0034359: [api rest] REST API: “String not found” warning when adding note with invalid view_state (dregad)
- 0034348: [api rest] Adding issue note with REST API returns HTTP 500 when given view_state is invalid (dregad)
- 0034018: [filters] Filter “assigned to” and “monitor by” shows
<br />
between the users when selecting multiple (advanced filtering) (dregad) - 0034106: [code cleanup] Deprecated creation of dynamic properties in BugData class (dregad)