Mantis is a free popular web-based bugtracking system
http://www.mantisbt.org
Mantis is a free popular web-based bugtracking system. It is written in the PHP scripting language and works with MySQL, MS SQL, and PostgreSQL databases and a webserver. Mantis has been installed on Windows, Linux, Mac OS, OS/2, and others. Almost any web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL).
-
1
derived packages
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout server:php:applications/mantisbt && cd $_
- Create Badge
Refresh
Refresh
Source Files
Filename | Size | Changed |
---|---|---|
README.SUSE | 0000000262 262 Bytes | |
mantisbt-2.24.4.tar.gz | 0014400419 13.7 MB | |
mantisbt-2.24.4.tar.gz.asc | 0000000488 488 Bytes | |
mantisbt.changes | 0000051193 50 KB | |
mantisbt.keyring | 0000033759 33 KB | |
mantisbt.spec | 0000005282 5.16 KB |
Revision 39 (latest revision is 46)
Johannes Weberhofer (weberho)
accepted
request 864057
from
Johannes Weberhofer (weberho)
(revision 39)
- MantiBS 2.24.4: Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues' contents. All installations are strongly advised to upgrade as soon as possible. This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues. * Attacker can leak private information via different functionality - CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments - CVE-2020-29605: Disclosure of private issue summary - CVE-2020-29603: Disclosure of private project name * Private category can be access/used by a non member of a private project (IDOR) * CVE-2020-35571: XSS in helper_ensure_confirmed() calls * User Account - Takeover * Fixed in version can be changed to a version that doesn't exist * When updating an issue, a Viewer user can be set as Reporter * CVE-2020-35849: Revisions allow viewing private bugnotes id and summary * CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP. * inconsistent UI for view bugnote revision * Printing unsanitized user input in install.php * print_manage_user_sort_link Function Parameter Required after Optional * Declaring a required parameter after an optional one is deprecated in PHP 8 * Javascript error in View Issues page * Adapt Error handler to PHP 8 * Impossible to edit issues with PHP8
Comments 0