[
MAINHACK
]
Mail Test
BC
Config Scan
HOME
Create...
New File
New Folder
Viewing / Editing File: changelog.txt
File is not writable. Editing disabled.
mantisbt - 2.28.4 Released 2026-07-01 Maintenance and Security release addressing a critical authentication bypass vulnerability in the SOAP API (CVE-2026-47156, thanks to MacCaulay Hudson of watchTowr) as well as 7 other vulnerabilities including SQL injection, remote code execution, Cross-site scripting, missing authorisation and improper input validation (refer to issues in the Change Log for details and security researchers credits). This release also fixes a few bugs, including a regression introduced in 2.28.2. 0037237: [printing] Printing an issue having notes without text triggers PHP error (dregad) 0037250: [ui] The news_list_page.php page does not display news for “All Projects” (community) 0037256: [email] Incorrect log message regarding sent email (community) 0037075: [api soap] SOAP Issue Update Implicitly Reassigns Reporter To The Caller When reporter Is Omitted (dregad) 0037135: [authentication] Fix CSRF validation failure in anonymous login (community) 0037257: [ui] Incorrect identification of a non-default mention tag (dregad) mantisbt - 2.28.3 Released 2026-05-14 Hotfix release, fixing a regression in the reauthentication flow introduced in 2.28.2. 0037130: [authentication] login_password_page.php: CSRF validation fails when called via auth_reauthenticate() (since 2.28.2) (community) mantisbt - 2.28.2 Released 2026-05-09 Important security release, addressing over 15 vulnerabilities; refer to the Change Log for details. We would like to thank the researchers who identified and helped us fix them: Vishal Shukla (@ninjasec), Dracosec Research Limited, Nozomu Sasaki (@morimori-dev) and Tang Cheuk Hei (@siunam). The release also fixes a few bugs and regression issues and improves PHP 8.5 compatibility. 0036819: [authentication] Secure cookies are rejected by the browser (dregad) 0037024: [administration] Incorrect PHP Supported version Admin Check (dregad) 0037023: [administration] Deprecated error in PHP 8.5 when checking the installation in the admin panel (dregad) 0037022: [tagging] Undefined array key error in tag_bug_get* functions when given an invalid Issue ID (community) 0037019: [ui] User's chosen font overwritten when saving preferences (dregad) 0037010: [tools] Github Actions: deprecated actions warning (dregad) 0037006: [code cleanup] Abort user verification early if given user id is not valid (dregad) 0037005: [bugtracker] user_get_row() does not throw exception when given invalid user id (dregad) 0036995: [security] CVE-2026-34390: Privilege Escalation from Manager to Administrator role per project basis (dregad) 0036991: [security] Improve protection against CSV injection (dregad) 0036990: [ui] Duplicated layout in View Filters Page when filter is not accessible (dregad) 0036969: [plug-ins] Unknown category error in the MantisGraph plugin. (dregad) 0036974: [security] CVE-2026-33052: Authorization Bypass in Global Profile Creation via account_prof_update.php (dregad) 0036987: [csv] csv_escape_string: incorrect result with int/float custom values when csv_injection_protection is active (dregad) 0036986: [security] CVE-2026-34463: Stored HTML Injection/XSS in Clone Issue Form via Unescaped Project Name (dregad) 0036985: [security] CVE-2026-42071: REST Issue File Listing Leaks Attachments From Hidden Private Bugnotes (dregad) 0036978: [security] CVE-2026-34970: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked (dregad) 0032998: [administration] Call to undefined function mci_get_project_id() when removing a user from a project (vboctor) 0036975: [security] CVE-2026-34579: Authorization bypass in private issue monitoring allows unauthorized users to subscribe to restricted issues (dregad) 0036977: [security] CVE-2026-34744: Authorization bypass allows users to read their own attachments after losing access to a private issue (dregad) 0036976: [security] CVE-2026-34754: Authorization Bypass Allows Uploading Attachments to Private Issues via REST (dregad) 0037099: [security] CVE-2026-44655: XSS in move_attachments_page.php (dregad) 0037089: [security] CVE-2026-42070: REST/SOAP mc_issue_update Embedded Note Update Bypasses Note-Level Authorization (dregad) 0037020: [security] CVE-2026-44657: Stored XSS in File Download (dregad) 0037016: [security] CVE-2026-40597: Content Security Policy bypass via attachments (dregad) 0037015: [security] CVE-2026-40607: Stored XSS in Saved-Filter Owner Column (Manager+) (dregad) 0037013: [security] CVE-2026-41897: Reflected XSS in Rendering Dynamic Custom Textarea Field (dregad) 0037017: [security] CVE-2026-40598 : Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page (dregad) 0037011: [security] CVE-2026-40596: XSS leading to account takeover via updating a user's font family preference (dregad) 0037003: [security] CVE-2026-39960: Stored XSS in Custom Field Textarea Values (dregad) mantisbt - 2.28.1 Released 2026-03-16 Maintenance and security release addressing a critical vulnerability affecting the SOAP API on MySQL (CVE-2026-30849, thanks to Alexander Philiotis of SynerComm) and two HTML injection / XSS issues with tag names (CVE not yet assigned, credits to Vishal Shukla). The release also fixes a few bugs including regression issues introduced in 2.28.0. 0036810: [bugtracker] Accessing bug_report_page.php (and other pages) anonymously results in blank page (dregad) 0036971: [security] Stored HTML Injection / XSS in Tag Delete Confirmation via Unescaped Tag Name (dregad) 0036973: [security] Stored HTML Injection / XSS in my_view_page.php Timeline via Unescaped Historic Tag Name (dregad) 0036818: [api soap] Call to undefined function date_timestamp_to_iso8601() (dregad) 0036855: [bugtracker] Application error on bug_relationship_graph.php page (community) 0036860: [tools] Update PHPUnit to 9.6.34 (dregad) 0036823: [email] Update PHPMailer to 7.0.2 (dregad) 0036972: [localization] Invalid use of {{GENDER:*}} tag in French language strings (dregad)
Save Changes
Cancel / Back
Close ×
Server Info
Hostname: server306.web-hosting.com
Server IP: 192.64.117.220
PHP Version: 8.2.31
Server Software: LiteSpeed
System: Linux server306.web-hosting.com 4.18.0-553.45.1.lve.el8.x86_64 #1 SMP Wed Mar 26 12:08:09 UTC 2025 x86_64
HDD Total: 138.28 GB
HDD Free: 102.09 GB
Domains on IP: N/A (Requires external lookup)
System Features
Safe Mode:
Off
disable_functions:
None
allow_url_fopen:
On
allow_url_include:
Off
magic_quotes_gpc:
Off
register_globals:
Off
open_basedir:
None
cURL:
Enabled
ZipArchive:
Enabled
MySQLi:
Enabled
PDO:
Enabled
wget:
Yes
curl (cmd):
Yes
perl:
Yes
python:
Yes (py3)
gcc:
No
pkexec:
No
git:
Yes
User Info
Username: awodbsau
User ID (UID): 4522
Group ID (GID): 4521
Script Owner UID: 4522
Current Dir Owner: N/A