- MantiBS 2.24.4:
Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL
injection in the SOAP API and several information disclosure issues including a
critical one allowing full access to private issues' contents. All
installations are strongly advised to upgrade as soon as possible.
This release also includes a few PHP 8.0 compatibility fixes, including a
major one causing an access denied error for all users when updating issues.
* Attacker can leak private information via different functionality
- CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments
- CVE-2020-29605: Disclosure of private issue summary
- CVE-2020-29603: Disclosure of private project name
* Private category can be access/used by a non member of a private project (IDOR)
* CVE-2020-35571: XSS in helper_ensure_confirmed() calls
* User Account - Takeover
* Fixed in version can be changed to a version that doesn't exist
* When updating an issue, a Viewer user can be set as Reporter
* CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
* CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
* inconsistent UI for view bugnote revision
* Printing unsanitized user input in install.php
* print_manage_user_sort_link Function Parameter Required after Optional
* Declaring a required parameter after an optional one is deprecated in PHP 8
* Javascript error in View Issues page
* Adapt Error handler to PHP 8
* Impossible to edit issues with PHP8