- MantiBS 2.24.4:
  Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL
  injection in the SOAP API and several information disclosure issues including a
  critical one allowing full access to private issues' contents. All
  installations are strongly advised to upgrade as soon as possible.
  This release also includes a few PHP 8.0 compatibility fixes, including a
  major one causing an access denied error for all users when updating issues.
  * Attacker can leak private information via different functionality 
    - CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments
    - CVE-2020-29605: Disclosure of private issue summary
    - CVE-2020-29603: Disclosure of private project name
  * Private category can be access/used by a non member of a private project (IDOR)
  * CVE-2020-35571: XSS in helper_ensure_confirmed() calls
  * User Account - Takeover
  * Fixed in version can be changed to a version that doesn't exist
  * When updating an issue, a Viewer user can be set as Reporter
  * CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
  * CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
  * inconsistent UI for view bugnote revision
  * Printing unsanitized user input in install.php
  * print_manage_user_sort_link Function Parameter Required after Optional
  * Declaring a required parameter after an optional one is deprecated in PHP 8
  * Javascript error in View Issues page
  * Adapt Error handler to PHP 8
  * Impossible to edit issues with PHP8

• Files Changed
• Browse Source