Mantis 2.24.4 release reports:
Security and maintenance release, addressing 6 CVEs:
- 0027726: CVE-2020-29603: disclosure of private project name
- 0027727: CVE-2020-29605: disclosure of private issue summary
- 0027728: CVE-2020-29604: full disclosure of private issue contents, including bugnotes and attachments
- 0027361: Private category can be access/used by a non member of a private project (IDOR)
- 0027779: CVE-2020-35571: XSS in helper_ensure_confirmed() calls
- 0026794: User Account - Takeover
- 0027363: Fixed in version can be changed to a version that doesn't exist
- 0027350: When updating an issue, a Viewer user can be set as Reporter
- 0027370: CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
- 0027495: CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
- 0027444: Printing unsanitized user input in install.php