ZerethShell
File Manager
SQL Manager
/
proc
/
4052701
/
root
/
var
/
softaculous
/
mantis
changelog.txt
mantisbt - 2.28.2 Released 2026-05-09 Important security release, addressing over 15 vulnerabilities; refer to the Change Log for details. We would like to thank the researchers who identified and helped us fix them: Vishal Shukla (@ninjasec), Dracosec Research Limited, Nozomu Sasaki (@morimori-dev) and Tang Cheuk Hei (@siunam). The release also fixes a few bugs and regression issues and improves PHP 8.5 compatibility. 0036819: [authentication] Secure cookies are rejected by the browser (dregad) 0037024: [administration] Incorrect PHP Supported version Admin Check (dregad) 0037023: [administration] Deprecated error in PHP 8.5 when checking the installation in the admin panel (dregad) 0037022: [tagging] Undefined array key error in tag_bug_get* functions when given an invalid Issue ID (community) 0037019: [ui] User's chosen font overwritten when saving preferences (dregad) 0037010: [tools] Github Actions: deprecated actions warning (dregad) 0037006: [code cleanup] Abort user verification early if given user id is not valid (dregad) 0037005: [bugtracker] user_get_row() does not throw exception when given invalid user id (dregad) 0036995: [security] CVE-2026-34390: Privilege Escalation from Manager to Administrator role per project basis (dregad) 0036991: [security] Improve protection against CSV injection (dregad) 0036990: [ui] Duplicated layout in View Filters Page when filter is not accessible (dregad) 0036969: [plug-ins] Unknown category error in the MantisGraph plugin. (dregad) 0036974: [security] CVE-2026-33052: Authorization Bypass in Global Profile Creation via account_prof_update.php (dregad) 0036987: [csv] csv_escape_string: incorrect result with int/float custom values when csv_injection_protection is active (dregad) 0036986: [security] CVE-2026-34463: Stored HTML Injection/XSS in Clone Issue Form via Unescaped Project Name (dregad) 0036985: [security] CVE-2026-42071: REST Issue File Listing Leaks Attachments From Hidden Private Bugnotes (dregad) 0036978: [security] CVE-2026-34970: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked (dregad) 0032998: [administration] Call to undefined function mci_get_project_id() when removing a user from a project (vboctor) 0036975: [security] CVE-2026-34579: Authorization bypass in private issue monitoring allows unauthorized users to subscribe to restricted issues (dregad) 0036977: [security] CVE-2026-34744: Authorization bypass allows users to read their own attachments after losing access to a private issue (dregad) 0036976: [security] CVE-2026-34754: Authorization Bypass Allows Uploading Attachments to Private Issues via REST (dregad) 0037099: [security] CVE-2026-44655: XSS in move_attachments_page.php (dregad) 0037089: [security] CVE-2026-42070: REST/SOAP mc_issue_update Embedded Note Update Bypasses Note-Level Authorization (dregad) 0037020: [security] CVE-2026-44657: Stored XSS in File Download (dregad) 0037016: [security] CVE-2026-40597: Content Security Policy bypass via attachments (dregad) 0037015: [security] CVE-2026-40607: Stored XSS in Saved-Filter Owner Column (Manager+) (dregad) 0037013: [security] CVE-2026-41897: Reflected XSS in Rendering Dynamic Custom Textarea Field (dregad) 0037017: [security] CVE-2026-40598 : Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page (dregad) 0037011: [security] CVE-2026-40596: XSS leading to account takeover via updating a user's font family preference (dregad) 0037003: [security] CVE-2026-39960: Stored XSS in Custom Field Textarea Values (dregad) mantisbt - 2.28.1 Released 2026-03-16 Maintenance and security release addressing a critical vulnerability affecting the SOAP API on MySQL (CVE-2026-30849, thanks to Alexander Philiotis of SynerComm) and two HTML injection / XSS issues with tag names (CVE not yet assigned, credits to Vishal Shukla). The release also fixes a few bugs including regression issues introduced in 2.28.0. 0036810: [bugtracker] Accessing bug_report_page.php (and other pages) anonymously results in blank page (dregad) 0036971: [security] Stored HTML Injection / XSS in Tag Delete Confirmation via Unescaped Tag Name (dregad) 0036973: [security] Stored HTML Injection / XSS in my_view_page.php Timeline via Unescaped Historic Tag Name (dregad) 0036818: [api soap] Call to undefined function date_timestamp_to_iso8601() (dregad) 0036855: [bugtracker] Application error on bug_relationship_graph.php page (community) 0036860: [tools] Update PHPUnit to 9.6.34 (dregad) 0036823: [email] Update PHPMailer to 7.0.2 (dregad) 0036972: [localization] Invalid use of {{GENDER:*}} tag in French language strings (dregad) mantisbt - 2.28.0 Released 2025-12-29 Maintenance release including nearly 80 enhancements and bug fixes. Highlights: compatibility with PHP 8.4 and 8.5, improved documentation including an OpenAPI Description for the REST API, better Tags management, restored included pages functionality and many others. 0026740: [plug-ins] Improve documentation for plugin_require_api() and plugin_event_hook() (dregad) 0035227: [markdown] MantisBT is not compatible with Parsedown 1.8 (community) 0035258: [other] Use of PHPUnit::toString() sometimes causes errors in tests (dregad) 0034960: [api soap] SOAP: Update WSDL viewer to version 3.1.03 (dregad) 0035038: [ui] Text on the relationship and workflow graphs are rendered cropped (community) 0035082: [plug-ins] Allow plugin_file_path() to return the files directory and use the current plugin by default (community) 0035230: [code cleanup] Use generic language strings for Tags management pages (dregad) 0035070: [plug-ins] Unable to retrieve values of arbitrary fields from LDAP. (dregad) 0035229: [tagging] Allow direct editing of tags from Manage Tags page (dregad) 0005271: [other] Support NoFollow hyperlinks for external urls (community) 0035228: [tagging] View and Update tag pages are not integrated in the Manage Tags menu (dregad) 0035223: [other] MantisBT tests are not compatible with PHPUnit 11.5 (community) 0035208: [plug-ins] Improve error handling for invalid plugins (dregad) 0035210: [ui] Incorrect handling of relative URLs in helper_get_root_domain() function and caller one (dregad) 0035212: [tools] GetLinkAttributesTest does not reset html_make_links config after tests (dregad) 0035211: [bugtracker] Core should allow detecting whether a config is set in the database (dregad) 0035219: [tagging] Number of related tags is no longer limited (dregad) 0034876: [bugtracker] When moving issues, it should not be possible to select the current project as target (dregad) 0034848: [reports] MantisGraph: view all data values when hovering over line (dregad) 0034847: [reports] Upgrade chart.js library to 3.9.1 (dregad) 0034824: [performance] Multiple execution of the same query with Profile API functions (dregad) 0006803: [bugtracker] Allow adding a note when moving an Issue to another project (dregad) 0010027: [tagging] Switching project on the Update Tag page gives APPLICATION ERROR 200 (dregad) 0022607: [tagging] Clean up unused tags (dregad) 0035259: [code cleanup] Add namespaces to PHPUnit test suite (dregad) 0035260: [administration] Project names should be trimmed before project creation or update (vboctor) 0035425: [ui] Inconsistent display in navbar user menu (dregad) 0035439: [performance] Multiple loads of plugins on the manage_plugin_page (community) 0035525: [bugtracker] gpc_get_int() should not remove spaces in the middle of the string (dregad) 0035551: [administration] Improve output of log events when $g_log_destination = 'page' (dregad) 0035402: [html] Footer has the wrong size (community) 0035544: [db postgresql] Attempt to update the category in the “Edit Project Category” form results in an error (dregad) 0021113: [plug-ins] EVENT_LAYOUT_PAGE_HEADER no longer available (community) 0022098: [customization] Setting bottom_include_page does not include specified file (community) 0035568: [code cleanup] Calling layout_page_header() without parameters throws deprecation warning on PHP 8.1 (dregad) 0035561: [ui] "Access Denied" page has no layout for anonymous account (community) 0036438: [plug-ins] MantisCoreFormatting: Error when saving configuration (atrol) 0035552: [ui] Inline error messages are sometimes displayed behind the navbar (dregad) 0035583: [bugtracker] Delayed inline errors are not printed on login page (dregad) 0036614: [code cleanup] PHP 8.5 compatibility (dregad) 0036618: [db schema] Update ADOdb to 5.22.11 (dregad) 0036617: [code cleanup] PHP 8.5: Increment on non-numeric string is deprecated (dregad) 0036616: [code cleanup] PHP 8.5: case followed by semicolon deprecations (dregad) 0036615: [code cleanup] PHP 8.5: non-canonical cast deprecations (dregad) 0035647: [documentation] Outdated build status in README.md (atrol) 0035562: [ui] If user is anonymous, page footer overlaps with error message (community) 0035587: [administration] Access Denied page's Login button has Invalid URL when triggered from Admin pages (dregad) 0035874: [email] Update PHPMailer to 7.0.1 (dregad) 0036621: [plug-ins] Support moderation via plugins (vboctor) 0035646: [documentation] Wrong code example in Admin Guide (atrol) 0036624: [email] Changing email address is no longer possible (atrol) 0035645: [ui] Some widgets are not collapsible (community) 0035644: [ui] Extra page load due to dropzone <img> stub tag (community) 0036786: [email] Calling email API functions from CLI triggers PHP warning (dregad) 0034649: [ui] Reorder group update actions in selection list (atrol) 0036765: [plug-ins] The plugin_get_current() function returns an incorrect value when executed from MantisPlugin::schema() (dregad) 0034928: [bugtracker] Date conversion fails using a non-US date format in VersionUpdateCommand.php (dregad) 0034938: [other] Update htmlpurifier to 4.19.0 (dregad) 0035756: [api rest] Update Guzzle to 7.10.0 (dregad) 0035540: [installation] A clean installation ends with Internal Server Error with no message/detail given (dregad) 0035207: [ui] Early inline warnings mess up with page layout (dregad) 0036510: [ui] Increase spacing before lock icon on relationship to private issue (dregad) 0035503: [html] The MantisBT web interface must pass HTML validation (part 2) (community) 0035288: [email] Support custom email sending providers (vboctor) 0036278: [email] Incorrect relationship type in email notifications (vboctor) 0035424: [code cleanup] Use new string_build_query() API function (community) 0035626: [ui] Main menu custom option with non-http absolute URL displayed incorrectly (community) 0006159: [documentation] Sticky Issues: document usage (dregad) 0014508: [documentation] Document usage of "Stick" Button in View Issue Details page (dregad) 0022250: [ui] Remove useless spacing in the footer (community) 0034823: [api rest] Create an OpenAPI Description for REST API (vboctor) 0035216: [code cleanup] PHP 8.4 compatibility (dregad) 0035217: [markdown] PHP 8.4 deprecation warnings in Parsedown 1.7.4 (dregad) 0035214: [code cleanup] PHP 8.4: fputcsv() empty $escape parameter is deprecated (dregad) 0035213: [code cleanup] PHP 8.4: E_STRICT is deprecated (dregad) 0035284: [api rest] Allow REST API to run on PHP 8.4 ignoring E_DEPRECATED notices (dregad) 0035215: [code cleanup] PHP 8.4: Implicitly nullable parameter types are deprecated (dregad) 0035283: [api soap] PHP 8.4: SOAP API throws SoapFault: Internal Service Error (dregad) mantisbt - 2.27.3 Released 2025-11-03 Hotfix release addressing a couple of regression issues affecting Admin Checks introduced by 2.27.2. 0036619: [administration] Most Admin Checks are disabled in 2.27.2 (dregad) 0036620: [administration] PHP Fatal error in Admin Checks of custom fields (atrol)
Kaydet
Vazgeç