[mantisbt-dev] MantisBT 1.2.13 Release (security release)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

blog post: http://www.mantisbt.org/blog/?p=236

MantisBT 1.2.13 is a security update for the stable 1.2.x branch.
All installations that are currently running any 1.2.x version are strongly
advised to upgrade to this release.

Two cross site scripting (XSS) vulnerability issues affecting MantisBT
1.2.12 only (earlier versions are not impacted) were discovered:

   - *CVE-2013-0197*: a malicious person could trick the browser of a
   target user into executing arbitrary JavaScript code. This vulnerability
   is particularly wide-reaching due to the affected page (search.php) being
   usable anonymously on public-facing installations (i.e. no user login
   required).  Refer to issue
#15373<http://www.mantisbt.org/bugs/view.php?id=15373> for
   detailed information.
   - *CVE-2013-XXXX*: A user holding manager/administrator permissions
   could create a category or project name containing JavaScript code; from
   that point on,  visitors to the Summary page (summary.php) are exposed to
   having the JavaScript execute within their browser environment. The
   severity of this issue is mitigated by the need to have a privileged
   account to modify category and project names.  Refer to issue
#15384<http://www.mantisbt.org/bugs/view.php?id=15384> for
   detailed information.

A workflow-related security issue was also fixed:

   - *CVE-2013-XXXX*: a user with “Reporter” permissions can modify the
   workflow status of any issue to “New” even if they do not have the
   necessary privileges to make this change.  Refer to issue
#15258<http://www.mantisbt.org/bugs/view.php?id=15258> for
   detailed information.

In addition to the corrections for the above-mentioned security issues,
this release also includes several bug fixes and enhancements:

   - Improved Manage Configuration page (better performance, ability to
   filter and edit config options)
   - Support for the built-in SOAP extension in addition to nusoap

A full changelog for 1.2.13 can be found at
here<http://www.mantisbt.org/bugs/changelog_page.php?version_id=180>.
 Go ahead and download <http://www.mantisbt.org/download.php> it now.

Checkout Hosted MantisBT <http://www.mantisbt.org/hosting.php> to be up and
running in minutes.  For optimized access to MantisBT from iPhone, Android
and Windows Phone checkout MantisTouch <http://www.mantistouch.org/>.

Thanks,
Mantis Team