Blog Post: http://www.mantisbt.org/blog/?p=249
MantisBT 1.2.15 is a security update for the stable 1.2.x branch.
All installations that are currently running any 1.2.x version are strongly
advised to upgrade to this release.
The following security issues were resolved:
- Any malicious user could use the view issues page (search.php) to
execute a filter that could bring down the site by overloading the
database server (CVE-2013-1883). Affects MantisBT 1.2.12 and later. Refer
to issue #15573 <http://www.mantisbt.org/bugs/view.php?id=15573> for
- A cross site scripting (XSS) vulnerability allowed execution of
1.2.14 and later. Refer to issue
- In some cases, the ‘Close’ button would be available to unauthorized
users, allowing them to close issues at will, bypassing the workflow
settings. Affects MantisBT 1.2.12 and later. Refer to issue
This release also includes several bug fixes and enhancements to the
tracker and the SOAP api, as well as updated translations in many languages.
A full changelog for 1.2.15 can be found at
Go ahead and download <http://www.mantisbt.org/download.php> it now.
Checkout Hosted MantisBT <http://www.mantisbt.org/hosting.php> to be up and
running in minutes. For optimized access to MantisBT from iPhone, Android
and Windows Phone checkout MantisTouch <http://www.mantistouch.org/>.