Not Yet Released

Feature and maintenance release

0028182: [ui] progress bar on the title bar (road map) (dregad)
0028525: [administration] Using MySQL 8.0 gives warning in admin checks (atrol)
0028528: [administration] Outdated PostgreSQL version information in Admin Checks (dregad)
0028120: [performance] Improve performance of user_pref_clear_invalid_project_default() (dregad)
0028119: [code cleanup] Calling user_get_field() with non-existing user throws incorrect warning (dregad)
0028124: [ui] Visually align the 1st column's width in manage_user_proj_delete.php (dregad)
0028114: [code cleanup] Invalid HTML in manage_user_edit_page.php (dregad)
0028122: [administration] Improve handling of project assignment in manage_user_edit_page.php (dregad)
0025956: [installation] Increase minimum PHP requirement to 7.0 (dregad)
9 issues View Issues
Released 2021-05-12

Security and maintenance release, fixes a couple of vulnerabilities in PHPMailer and Chart.js libraries, as well as a few other minor issues.

0028084: [ui] Labels for email notifications in User Prefs page appear in bold (dregad)
0028082: [ui] Project Edit Page does not display check boxes (dregad)
0028076: [plug-ins] Bundled plugins 2.25.0: incorrect Mantis requirement (dregad)
0028080: [ui] Unsightly vertical offset of the "Update Prefs" and "Reset Prefs" buttons. (dregad)
0028106: [administration] Error removing project (dregad)
0028112: [ui] Incorrect spacing between icon and text on manage_user_edit_page.php (dregad)
0028530: [security] Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) (dregad)
7 issues View Issues
Released 2021-03-07

This feature and maintenance release contains over 100 fixes and enhancements; among many other things, it improves PHP 8 compatibility, LDAP authentication and invalid plugins management. It also includes a schema change, so do not forget to upgrade the database as documented in the Admin Guide.

Please note that this will be the last release supporting PHP 5; starting with MantisBT 2.26.0, the minimum PHP version will be 7.0 - read the official announcement at

0027118: [security] Update PHPMailer to 6.3.0 (dregad)
0015361: [ldap] Add STARTTLS Support to LDAP (community)
0027144: [code cleanup] Data integrity: ensure users' default_project preference is a valid project (dregad)
0027828: [html] Standardize the way fontawesome icons are printed (dregad)
0026811: [authentication] Username regex is too strict by default (community)
0027574: [ui] Manage users edit page: inconsistent spacing between sections (dregad)
0026617: [documentation] Admin Guide has various broken links, obsolete info, etc. (dregad)
0026798: [administration] PHP warning in config_get_global (dregad)
0026822: [ldap] LDAP configuration options can be set in database (atrol)
0026821: [code cleanup] Standardize access of option database_version (atrol)
0026839: [printing] Viewer does not get Selection column in View Issues or Print Reports lists (atrol)
0026823: [ui] Upgrade to fontawesome version 4.7.0 (syncguru)
0026840: [preferences] Non existing field name os_version used where os_build should be used (atrol)
0026861: [ui] "Move" functionality offered for users that have just access to a single project (atrol)
0026884: [administration] Misleading e-mail notification following password reset by admin (dregad)
0026887: [sub-projects] Project Menu Bar does not indent subprojects properly (dregad)
0026889: [code cleanup] Implement ConfigsGetCommand and use from REST API (vboctor)
0026890: [code cleanup] Implement LocalizedStringsGetCommand and use from REST API (vboctor)
0026891: [api rest] /config REST API endpoint reports users as not found when they exist (vboctor)
0026892: [administration] Attachment settings not available on "Workflow Thresholds" page (atrol)
0026919: [api rest] Upgrade guzzlehttp/guzzle from 6.5.2 to 6.5.5 (dregad)
0026930: [code cleanup] Use user_is_login_request_allowed() instead of duplicating the logic (dregad)
0026963: [ui] Username field in Monitor box triggers password managers (vboctor)
0026964: [bugtracker] Admin check always has "WARN" for magic_quotes checks (PHP 7.4) (atrol)
0027005: [time tracking] User list in time tracking summary is not sorted (dregad)
0027117: [administration] SQL syntax error on manage_user_page (atrol)
0027122: [plug-ins] 3rd-party plugins cannot use chart.js library bundled with MantisGraph (dregad)
0027123: [javascript] MantisGraph: stop using chart.js bundled build (dregad)
0027124: [plug-ins] MantisGraph: update Chart.js library to v2.9.3 (dregad)
0027129: [filters] Preserving filters does not work correctly on sub-sub-projects (dregad)
0027155: [bugtracker] Update securimage to 3.6.8 (dregad)
0011463: [localization] Confusing message when selecting a project to enter an issue (dregad)
0026888: [code cleanup] Refactor printing of project selection menus (dregad)
0026962: [code cleanup] Remove unused bug_monitor_list_view_inc.php file (vboctor)
0026974: [installation] Required PHP json extension not documented and checked (atrol)
0026988: [preferences] issue report TOO_MANY_REDIRECTS (dregad)
0027145: [code cleanup] Convert Project and User Pref APIs to use DbQuery class (dregad)
0027160: [ui] Wrong page position after bugnote add/edit (atrol)
0027808: [ui] Questionable UI / button on "Edit Project Category" page (atrol)
0027217: [bugtracker] bugnote_clear_cache() does not work properly (dregad)
0027241: [localization] Improve handling of missing language strings (dregad)
0027242: [bugtracker] Allow printing of standard confirmation alerts without buttons (dregad)
0027256: [bugtracker] Refactor Profiles management pages to display a list of records (dregad)
       0027257: [bugtracker] It is not possible to clear the Default Profile (dregad)
       0027259: [bugtracker] Profile-related operations lack confirmations (dregad)
       0027260: [ui] Confusing redirection when editing profiles (dregad)
       0027258: [code cleanup] Code cleanup around User/Global Profiles (dregad)
0027300: [documentation] Fix discrepancies in documentation for $g_display_errors (dregad)
0027302: [plug-ins] Force-installed plugins are not registered in order of priority (dregad)
0027375: [filters] search field at project-selection is not working anymore (dregad)
0027387: [administration] Manage user page table footer is displayed even when empty (dregad)
0027384: [other] Upgrade release build scripts to Python3 (dregad)
0027463: [administration] Sticky setting not available on "Workflow Thresholds" page (atrol)
0027576: [custom fields] Incorrect error message when reporting issue with a custom field failing validation (dregad)
0027575: [code cleanup] Remove obsolete 'posted' form param when reporting new issue (dregad)
0027573: [code cleanup] PHP notice in manage_user_edit_page.php when given invalid user id (dregad)
0027584: [documentation] Out of the box Mantis does not display either a Dependancy or Relationship Graph (dregad)
0027700: [bugtracker] Standardize on IEEE 1541 units (KiB, MiB) for file sizes (dregad)
0027701: [code cleanup] System notice in lang_error_handler (atrol)
0027703: [code cleanup] Error handlers use deprecated context parameter (atrol)
0027768: [administration] When deleting a project, there should be information of how many (if any) issues are affected (dregad)
0027802: [code cleanup] Remove Project Info page (atrol)
0008066: [bugtracker] clickable summaries in view issues page (community)
0012961: [plug-ins] Plugin_force_uninstall is not declared (dregad)
0025764: [email] Enable S/MIME signed e-mail notifications (dregad)
0026142: [plug-ins] Improve handling of invalid / incorrectly installed plugins (dregad)
       0026143: [plug-ins] Admin checks should detect invalid / incorrectly installed plugins (dregad)
       0017487: [plug-ins] Validate plugin folder name and name match during setup (dregad)
0026481: [api rest] Errors in API documentation (vboctor)
0026920: [authorization] reporter allowed to close (vboctor)
0027113: [sql] Error in bug_api.php when UPDATEing a bug (dregad)
0027150: [performance] Non visible image previews are transferred from server to client (atrol)
0027362: [installation] Sourceforge [admin/test_langs.php] File missing from installation packages ( & mantisbt-2.24.3.tar.gz) (dregad)
0027796: [installation] Using an empty timezone causes PHP notice on PHP 8 (dregad)
0027817: [administration] Issue revision settings not available on "Workflow Thresholds" page (atrol)
0027827: [attachments] Improve pop-up description for file icons (dregad)
0027829: [tools] TravisCI: add PHP 8.0 to tests, and switch to bionic build environment (dregad)
0027830: [db postgresql] PHP 8.0 PostgreSQL builds fail due to deprecated pg_fieldsize() function (dregad)
       0026837: [db mssql] Update ADOdb to 5.20.20 (dregad)
0027833: [code cleanup] Unneeded code for option display_project_padding (atrol)
0027839: [change log] No hyperlinks in Changelog and Roadmap release notes (dregad)
0027848: [ldap] Changed default $g_ldap_protocol_version from 0 to 3. (community)
0027849: [ldap] LDAP server must be specified as an URI (community)
0027853: [security] Printing unsanitized user input in account_prof_edit_page.php (atrol)
0027881: [plug-ins] Tag attach group action doesn't trigger EVENT_TAG_ATTACHED (vboctor)
0027882: [plug-ins] Create cronjob script and plugin event (vboctor)
0027884: [administration] Some config options can be set in database, but should be configurable just in config_inc.php (atrol)
0027914: [custom fields] Custom date field with default value left blank even when field is required (dregad)
0027958: [ui] Inconsistent form input labels' font size when HTML label element is used (dregad)
0027969: [api rest] Incorrect documentation for tags (vboctor)
0027972: [ui] Left-align the Send Reminder textarea (dregad)
0027973: [api rest] REST API update issue triggers errors if payload is empty (dregad)
0027978: [ui] Horizontal rules (<hr> tag) are nearly invisible (dregad)
0027981: [api soap] mc_issue_update() throws system warning when Project not specified in IssueData (dregad)
0027982: [db schema] Email field in mantis_email_table is shorter than user email in mantis_user_table (vboctor)
0026665: [custom fields] Custom fields with comma can't be used in Manage Config Columns page (dregad)
0026903: [code cleanup] Move release scripts to main repository (vboctor)
0027298: [code cleanup] Remove unused and regroup duplicated language strings (dregad)
0027950: [custom fields] Validate date custom fields default value format (dregad)
0027956: [custom fields] Remove need to use {} for dynamic dates in custom fields default value (dregad)
0027983: [documentation] Improve Custom Fields documentation (dregad)
0027992: [documentation] Remove helper_alternate_class() calls from Developers Guide and document alternative (dregad)
0027993: [documentation] Host the Example Plugin from the Developers Guide in a repository in mantisbt-plugins organization (dregad)
0027994: [administration] "Add Version" without entering a version number outputs "Operation successful" though no version has actually been added (dregad)
0028002: [code cleanup] New API function to get User Id by cookie string (dregad)
0025998: [documentation] REST API documentation (vboctor)
106 issues View Issues
Released 2021-03-05

Security and maintenance release, includes PHP 8.0 compatibility fixes.

0027976: [security] CVE-2009-20001: User cookie string is not reset upon logout (dregad)
0027800: [bugtracker] install.php throws SYSTEM WARNINGs (dregad)
0027928: [custom fields] Unable to edit Issues having Date custom fields on PHP 8.0 (dregad)
0027826: [bugtracker] ERROR_CATEGORY_NOT_FOUND_FOR_PROJECT thrown for Category '0' (dregad)
4 issues View Issues
Released 2020-12-30

Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues' contents. All installations are strongly advised to upgrade as soon as possible.

Many thanks to randomdhiraj, ethicalhcop and d3vpoo1 (, for identifying and responsibly reporting these security issues.

This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.

0027361: [security] Private category can be access/used by a non member of a private project (IDOR) (dregad)
0027357: [security] Attacker can leak private information via different functionality (dregad)
       0027728: [security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments (dregad)
       0027727: [security] CVE-2020-29605: Disclosure of private issue summary (dregad)
       0027726: [security] CVE-2020-29603: Disclosure of private project name (dregad)
0027779: [security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls (dregad)
0026794: [security] User Account - Takeover (dregad)
0027363: [security] Fixed in version can be changed to a version that doesn't exist (dregad)
0027350: [security] When updating an issue, a Viewer user can be set as Reporter (dregad)
0027370: [security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary (dregad)
0027495: [security] CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP. (dregad)
0020690: [bugtracker] inconsistent UI for view bugnote revision (dregad)
0027444: [security] Printing unsanitized user input in install.php (atrol)
0027464: [printing] print_manage_user_sort_link Function Parameter Required after Optional (atrol)
0027465: [code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8 (atrol)
0027704: [javascript] Javascript error in View Issues page (dregad)
0027799: [bugtracker] Adapt Error handler to PHP 8 (dregad)
0027806: [bugtracker] Impossible to edit issues with PHP8 (dregad)
18 issues View Issues
Released 2020-09-25

Security release including 3 CVEs. Many thanks to d3vpoo1 ( for identifying most of the issues.

0027268: [security] Admin can get issues assigned to users not allowed to handle them (dregad)
0027039: [security] CVE-2020-25781: Access to private bug note attachments (dregad)
0027275: [security] CVE-2020-25288: HTML Injection on bug_update_page.php (dregad)
0027276: [security] Send reminder to viewer (dregad)
0027283: [security] Admin can set viewer as a tag creator (dregad)
0027284: [plug-ins] Priority can override to any positive integer (dregad)
0027299: [code cleanup] Remove code duplication in File API (dregad)
0027303: [code cleanup] When processing categories, it is not necessary to know the project id (dregad)
0027304: [security] CVE-2020-25830: HTML Injection in bug_actiongroup_page.php (dregad)
9 issues View Issues
Released 2020-08-07

Security release

0027056: [security] CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php (dregad)
0027003: [security] Update PHPMailer from 6.1.4 to 6.1.6 (dregad)
2 issues View Issues
Released 2020-05-03

Security and maintenance release

0026631: [security] file_get_visible_attachments shows private files that should be invisible to the user (vboctor)
0026893: [security] APIs expose private attachments to users who has access to issue but not private notes (vboctor)
0026781: [bugtracker] changed project order / sequence (dregad)
0026805: [attachments] Attachments box is invisible when notes are private by default (vboctor)
0026835: [attachments] Database Server error while adding file to project (atrol)
0026838: [bugtracker] OS build field not filled in viewing mode (atrol)
0026880: [administration] Impossible to reset user's password (dregad)
0026881: [documentation] Documentation for REST API /users/{id}/reset missing (vboctor)
0026885: [api rest] Resetting password for protected user via REST API should fail (dregad)
0026921: [bugtracker] View Issue page does not show "Product Build" (wrong key names in code) (atrol)
10 issues View Issues
Released 2020-03-14
0026475: [email] Update phpmailer/phpmailer from 6.1.3 to 6.1.4 (dregad)
0026632: [api rest] Support user password reset via REST API (community)
0026598: [db mssql] Update ADOdb to 5.20.16 (dregad)
0022142: [ui] on Roadmap progress bar 'data-percent' class could stand out better (syncguru)
0026439: [ui] Issue list throws warning on every issue without bug notes. (dregad)
0026441: [api rest] Update GuzzleHttp from 6.4.1 to 6.5.2 (dregad)
0026473: [ui] Incorrect CSS rules get applied if a word in custom field name matches an existing CSS class (atrol)
0026567: [code cleanup] Code Cleanup (atrol)
0026555: [reports] Wrong number of displayed rows on summary page (atrol)
0026572: [code cleanup] Remove $g_log_destination 'firebug' option, as the project is dead since 2017 (dregad)
0026589: [documentation] Admin Guide: remove doc for long-deprecated $g_ldap_port config (dregad)
0009534: [feature] Limit reporter's access to their own issues (cproensa)
0011365: [plug-ins] New Event: EVENT_MENU_ISSUE_RELATIONSHIP (dregad)
0011381: [relationships] Dependency Graph crash on circular parent child relationships (dregad)
0017594: [reports] Display issue Summary inside relation graph nodes (dregad)
0021133: [rss] Access of non existent image in RSS feeds (dregad)
0024600: [filters] BugFilterQuery - issue? - trying to add join & where conditions (cproensa)
0026163: [relationships] Relationship Graph page UI lacks MantisBT 2.x layout (dregad)
0026164: [relationships] Relationship Graph page is missing legend (dregad)
0026165: [relationships] Relationship Graph - inconsistency between button label and title (dregad)
0026612: [plug-ins] Improve MantisColumn sort capability to allow sorting by more complex expressions (cproensa)
0026621: [filters] Wrong filtering by none-relationship (cproensa)
0026623: [ui] Generate token with empty name and APPLICATION ERROR #11 (dregad)
0026636: [installation] Apostrophe in custom_field_string table causes upgrade from < 1.2.0 to fail (dregad)
0009155: [time tracking] Cell coloring for due date indicates "overdue" when not overdue yet. (dregad)
0009155: [time tracking] Cell coloring for due date indicates "overdue" when not overdue yet. (dregad)
0010831: [administration] how can I allow user to view only the issue that assigned to them (cproensa)
0015466: [bugtracker] Reporter can't see an issue they have been made a monitor of (cproensa)
0016869: [bugtracker] Change of due date background color (dregad)
0021201: [localization] lang_get_defaulted does not search for fallback language (dregad)
0023570: [bugtracker] Implement limit_reporters as a threshold (cproensa)
0025097: [authentication] login username is not trimmed (dregad)
0025115: [roadmap] User can't see in roadmap a private issue that they reported (cproensa)
0026438: [bugtracker] Allow multiple, customizable due date levels (dregad)
       0009155: [time tracking] Cell coloring for due date indicates "overdue" when not overdue yet. (dregad)
       0016869: [bugtracker] Change of due date background color (dregad)
0026568: [installation] Use appropriate statement to update DB schema when generating SQL (dregad)
0026542: [api rest] Passing out of range custom field id causes multiple PHP warnings / incorrect response (dregad)
0026540: [api rest] Passing unsanitized data to type hinted function causes program crash (dregad)
0026541: [api rest] Passing invalid id to rest api custom field update causes program crash (dregad)
0026662: [installation] Final statement to set database version not logged in SQL script (dregad)
0026661: [installation] Add informational comments to SQL script generated by installer (dregad)
0026663: [installation] improve installer messages when generating SQL script (dregad)
0026664: [installation] Allow admin to reset table pre/suffix to their default values (dregad)
0026686: [bugtracker] Make category on bug_report_page a required field when $g_allow_no_category = OFF; (dregad)
0026687: [bugtracker] Required fields when reporting an issue, should also be when updating it (dregad)
0026690: [bugtracker] Mass update does not allow setting an empty category (dregad)
0026712: [ui] Provide a way to 'show content' for all complex items on Manage Configuration Report page (dregad)
0026747: [plug-ins] No equivalent to lang_get_defaulted() in plugin_api() (dregad)
0026765: [bugtracker] Inheritance of sub project not read correctly from database (dregad)
0026778: [customization] Retire bug_change_status_page_fields config option (vboctor)
48 issues View Issues
Released 2020-03-14
0026570: [bugtracker] Assigning bug from group action creates empty bugnote (atrol)
0026622: [ldap] LDAP API does not cache realname information (dregad)
       0026600: [performance] Performance loss after update from 2.20.0 to 2.23.0 (dregad)
0026482: [ui] 'View Issue' page fails to populate some fields (ex 'ID') for some projects (but not others) (atrol)
0026470: [localization] Issue values on bug view page are not localized. (atrol)
0026596: [installation] Wrong defaults for db (plugin) table prefix/suffix (dregad)
0026610: [ui] Option history_default_visible does not work (atrol)
0026575: [plug-ins] When calling bug_assign function it auto creates empty note (atrol)
0026629: [ldap] LDAP API throws PHP warning when ldap_connect() fails (dregad)
0026757: [bugtracker] Bugnote from reminder is always public - ignoring private checkbox state (community)
10 issues View Issues
Released 2019-12-09

This feature and maintenance release includes a schema change. Do not forget to upgrade the database as documented in the Admin Guide.

0009802: [attachments] Support attachments associated with private notes (vboctor)
0025972: [custom fields] Use custom field regular expression in the html input (cproensa)
0025902: [api rest] Implement IssueViewPageCommand to separate logic from rendering of issue view page (vboctor)
0021733: [attachments] Attachments should be linkable to notes in db (vboctor)
0010107: [feature] Allow setting reminder bugnotes' view status (dregad)
0026388: [security] Update ADOdb to 5.20.15 (dregad)
0026150: [bugtracker] Closing issues via group action with empty note creates a bugnote record (vboctor)
0024113: [attachments] Attaching files to a note creates a second note with only the attachments (vboctor)
0026265: [email] Bump phpmailer/phpmailer from 6.0.7 to 6.1.3 (dregad)
0026139: [reports] Move MantisGraph pages to their own tab (dregad)
0026374: [api rest] Update GuzzleHttp from 6.3.3 to 6.4.1 (dregad)
0022817: [attachments] "private bugnotes" as default setting prevents uploading further attachments (vboctor)
0024577: [attachments] Deleting a note, should delete associated attachments (vboctor)
0025935: [attachments] Warning for users when making public notes with attachments private (vboctor)
0025960: [attachments] Add files information to EVENT_BUGNOTE_ADD event (vboctor)
0025975: [custom fields] Manage custom fields page does not show fields in order (cproensa)
0026081: [attachments] Switching note to private/public, should impact associated attachments (vboctor)
0026083: [auditing] Link attachments issue history events to attachments to determine visibility (vboctor)
0021712: [filters] No way to filter "negative" for checkbox custom fields (cproensa)
0021799: [documentation] Wrong data types in ERD (dregad)
0025905: [ui] Inline actions user experience is inconsistent between different features (syncguru)
0026062: [filters] Filter for a date custom field fails when no values for this field exists (cproensa)
0026092: [documentation] Invalid URL for GraphViz home page (dregad)
0026093: [plug-ins] Content Security Policy directive 'frame-ancestors' contains an invalid source when http_csp_add is called for it (dregad)
0026094: [bugtracker] PHP notice in bug view page when viewing issue without category (dregad)
0026098: [documentation] Update ERD diagram to reflect new field in bug_file table (dregad)
0026132: [time tracking] Application Error 401 when clicking Time Tracking at the bottom of a bug notes page (dregad)
0026134: [time tracking] Bugnotes time spent info is always shown even if time tracking is disabled (dregad)
0026128: [ui] Attachments displayed with empty user (dregad)
0009363: [attachments] Comments on attachments (vboctor)
0026195: [api rest] Error requesting issues using saved filter (cproensa)
0026082: [attachments] Create a place holder note when submitting attachments without text (vboctor)
0026002: [email] "Email on monitoring" not configurable in manage_config_email_page (cproensa)
0026095: [attachments] Support inline playing of audio attachments (vboctor)
0026096: [documentation] preview_*_extensions config options not documented (vboctor)
0026102: [attachments] Support inline playing of video attachments (vboctor)
0026109: [db postgresql] check_pgsql_bool_columns: check wrongly suggests that the redirect_delay should be in boolean format (dregad)
0026123: [ui] Both "monitor" and "end monitoring" buttons are displayed (dregad)
0026125: [ui] "Users monitoring this issue" section not shown if nobody is monitoring the issue (dregad)
0026141: [custom fields] Use max length property of custom field in inputs (cproensa)
0026166: [performance] Issue view api uses many custom field database queries (cproensa)
0026167: [performance] Issue view history api repeated calls to bug_get_attachments database query (cproensa)
0026295: [ui] Clone button is not displayed correctly (cproensa)
0026326: [bugtracker] Tags are not copied from master issue when cloning (community)
0026353: [tagging] Tag attachments list includes tags already attached to the bug (dregad)
0026368: [administration] Custom fields selector in manage project page are not ordered by name (cproensa)
0026030: [custom fields] Filter value "none" is not available for multiselection list custom fields (cproensa)
0026086: [api rest] Update Slim Framework to 3.12.3 (dregad)
0026119: [tagging] Add $g_tag_create_threshold to Workflow Thresholds in the GUI (dregad)
0026294: [ui] Attachments without note text are not displayed (cproensa)
0026358: [security] Vulnerability from library Moment.js 2.15.2 (dregad)
0026367: [administration] Use empty value as default project in "manage project" subproject section (cproensa)
0026382: [javascript] Update corejs-typeahead.js library to 1.3.0 (dregad)
53 issues View Issues
Released 2019-12-09

Bugfix release

0026351: [preferences] Field "EXCEL columns" has space or tabulation (dregad)
1 issue View Issues
Released 2019-09-26

Security release for 1.3.x series.

0026162: [security] CVE-2019-15715: Command Execution / Injection Vulnerability (dregad)
1 issue View Issues
Released 2019-09-25

Security release for 2.22.x series.

0026110: [administration] [Show content] for Complex Configuration option doesn't work when mod_rewrite is disabled (dregad)
0026091: [security] CVE-2019-15715: [Admin Required - Post Authentication] Command Execution / Injection Vulnerability (atrol)
0026160: [security] Update bundled Bootstrap to 3.4.1 (CVE-2019-8331) (dregad)
0026168: [security] Enable integrity hashes for CSS ressources from CDNs (dregad)
4 issues View Issues
Released 2019-08-31
0026078: [security] CVE-2019-15539: Stored XSS on Project Documentation (atrol)
1 issue View Issues
Released 2019-08-30
0026079: [security] CVE-2019-15539: Stored XSS on Project Documentation (atrol)
0025856: [api soap] SOAP API return value does not match definition in WSDL (dregad)
2 issues View Issues
Released 2019-08-26

Feature and maintenance release.

0024189: [bugtracker] Status color squares become black (cproensa)
0025850: [bugtracker] PHP Notices in User API (dregad)
0025961: [tools] PHPUnit tests as run by Travis CI builds do not execute all defined suites (dregad)
0025951: [plug-ins] MantisGraph: update Chart.js library to v2.8.0 (dregad)
0025910: [administration] Simplify displaying of complex values in adm_config_report page (cproensa)
0025969: [other] bug_report_page is forced to be cached (cproensa)
0025839: [html] Leading newlines disappear when editing data in textarea elements (dregad)
0022518: [reports] Graph too large to fit in browser viewport (cproensa)
0021797: [attachments] Add support for pasting images as attachments (syncguru)
0006128: [bugtracker] Ability to add monitors to a bug when the bug is first reported (dregad)
0025162: [plug-ins] Improve plugin schema upgrade error message (dregad)
0025470: [api soap] SOAP API return value does not match definition in WSDL (dregad)
0025749: [bugtracker] error_string() does not allow HTML tags inside of error messages (dregad)
0025774: [installation] Reflect PHP requirements in Composer config (dregad)
0025784: [html] Invalid HTML in manage_config_workflow_page.php (dregad)
0025815: [bugtracker] Users can't add monitors if access < show_monitor_list_threshold and >= monitor_add_others_bug_threshold (dregad)
0025826: [administration] Impossible to set add/remove monitors thresholds from manage page (dregad)
0025827: [documentation] Improve documentation for monitors-related configs (dregad)
0025848: [code cleanup] Remove get_email_link() API function (dregad)
0025849: [code cleanup] New prepare_mailto_url() API function (dregad)
0025851: [printing] Remove hyperlinks on usernames in Word export (dregad)
0022898: [security] Email for a new private bugnote was send to a non authorized reporter (dregad)
0023725: [time tracking] Time tracking box rendering is broken (syncguru)
0024441: [tagging] Report issue doesn't support multiple new tags (dregad)
0024590: [plug-ins] Add EVENT_MENU_MAIN_FILTER to allow complete customisation of main menu (dregad)
0025362: [api rest] REST API support for multiple authorization headers (community)
0025686: [bugtracker] Replace mailto: by link to user profile page in view.php (dregad)
0025894: [code cleanup] Remove unused $p_can_report_only parameter in layout_navbar_projects_list() (dregad)
0025904: [documentation] Admin guide: remove reference to unmaintained Firefox add-on (dregad)
0025911: [javascript] Improve client-side sortable tables script (cproensa)
0025914: [plug-ins] EVENT_BUGNOTE_DATA event not documented in developer manual (dregad)
0025952: [code cleanup] MantisGraph: define Chart.js-related constants in the plugin (dregad)
0025953: [plug-ins] Missing an API function to check if a plugin event has been declared (dregad)
0025962: [bugtracker] IssueAddCommand does not create history entries identical to the code it replaced (vboctor)
0025963: [ui] Gravatar plugin should always use https (vboctor)
0025996: [api rest] Missing tag name in error message when creating issue via REST API (dregad)
0025997: [api rest] Invalid JSON response when creating issue with tag by name via REST API (dregad)
0026063: [code cleanup] Glue after String Array is being Deprecated (dregad)
0026066: [plug-ins] Gravatar Plugin Description (atrol)
0026074: [tagging] Creating an invalid tag should fail with an error (dregad)
0026075: [tagging] Tag-related error messages should reference the tag's name (dregad)
0026076: [api rest] Adding issue via REST API should fail if requested tags can't be attached (dregad)
0026077: [api rest] IssueAddCommand should create tag specified by name if they do not exist (dregad)
43 issues View Issues
Released 2019-08-19

Security release for 2.21.x series.

0025995: [security] CVE-2019-15074: Stored XSS Vulnerability in Timeline (dregad)
1 issue View Issues
Released 2019-06-13

Maintenance release for 2.21.x series.

0025734: [administration] LOGFILE_NOT_WRITABLE error triggered if file does not exist (dregad)
0025722: [administration] Wrong access_level settings when updating rights in the project admin page (cproensa)
0025742: [other] Summary "By Date (days)" gets wrong number (cproensa)
0025763: [attachments] File upload timeout (atrol)
0025781: [reports] Summary statistics db error message (cproensa)
0025783: [administration] Button label truncated on manage_config_workflow_page (dregad)
6 issues View Issues
Released 2019-04-20
0019642: [administration] If log file is not writable, log_event() fails silently (dregad)
0025703: [api rest] Update Slim Framework to 3.12.1 (vboctor)
0023694: [plug-ins] View Issue page menu links from EVENT MENU_ISSUE event are wrapped with "[", "]" characters (dregad)
0025695: [bugtracker] Redirect to the new issue's page after reporting it (community)
0022096: [timeline] My View page without timeline does not respect the $g_my_view_boxes_fixed_position setting (dregad)
0022104: [ui] My View Page layout misses some boxes (dregad)
0022143: [documentation] Encoding of custom files not documented (dregad)
0022972: [documentation] Upgrade guide does not mention plugins (dregad)
0023333: [filters] sub-project assignments missing from project-specific My View page (cproensa)
0023418: [ui] Plugin tab in Summary section not highlighted when selected (community)
0023550: [customization] Modification to status colors css (dregad)
0025614: [installation] Missing file (api/rest/web.config) in installer (dregad)
0025629: [administration] E_USER_DEPRECATED errors are no longer displayed inline (dregad)
0025631: [administration] PHP Notice or incorrect file+line number when displaying DEPRECATED error (dregad)
0025650: [ui] Show status with a color square instead of background color on Bug Update Page (dregad)
0025651: [performance] Update color when new Status is selected in Bug Update Page (dregad)
0025664: [ldap] LDAP documentation - Remove invalid 'hostname:port' example (dregad)
0025679: [ui] Uneven distribution of boxes on My View page when Timeline is OFF (dregad)
0025682: [ui] Show Invite button for users with manage users access level, not just administrators (community)
0023037: [ui] Focus on project search (cproensa)
0025594: [ui] Projects menu search box should be hidden when having a small number of projects (cproensa)
0025688: [api rest] Inconsistent naming of username field in REST API (community)
0025693: [performance] Improve performance of Summary Page queries (cproensa)
23 issues View Issues
Released 2019-04-20
0025621: [security] vendor folder is not protected (vboctor)
0025675: [security] CVE-2019-10905: Update Parsedown library to 1.7.3 (dregad)
0025661: [bugtracker] Project versions disappear when set "obsolete" (cproensa)
0025697: [html] Viewing Issues > print reports, csv export, excel export - broken links (dregad)
4 issues View Issues
Released 2019-03-16

Feature release

0025390: [tools] Travis CI builds fail for PHP 7.3 (dregad)
0025368: [administration] Manage project, copy from/to forms are easy to click accidentally and don't ask for confirmation (cproensa)
0025436: [email] Bump phpmailer/phpmailer from 6.0.6 to 6.0.7 (dregad)
0024672: [security] Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042) (atrol)
0025213: [rss] RSS feeds broken when using PHP >= 7.0 (atrol)
0025523: [plug-ins] MantisGraph: improve handling of colors in Pie charts (dregad)
0025488: [reports] Update Chart.js to 2.7.3 (atrol)
0005151: [administration] Can't update user's project-specific access level (dregad)
0025437: [api rest] Update Slim Framework to 3.12.0 (dregad)
0004624: [feature] Add filtered summary (cproensa)
0014656: [reports] Filter by dates in Summary Graphs (cproensa)
0017304: [documentation] Manual does not describe variable "g_from_name" (atrol)
0020069: [code cleanup] default_email_on_status, misleading comments in config_defaults (atrol)
0023045: [feature] Usability suggestion at Report Issue screen (atrol)
0023904: [performance] Massive queries to user table in edit project (cproensa)
0024347: [security] web.config file is missing in api/rest (community)
0024549: [filters] Permalink - Filter lose information after click on view issues (cproensa)
0024775: [filters] Improve presentation of temporary filters (cproensa)
0024776: [filters] Switching simple/advanced for a temporary filter loses the filter (cproensa)
0025109: [html] Filter widget does not hide botton bar when collapsed (cproensa)
0025130: [administration] "Check Installation" is missing from Admin menu (dregad)
0025164: [reports] MantisGraph, implement filtered summary for graphs (cproensa)
0025168: [reports] MantisGraph. Reporter graph does not fit width of page (dregad)
0025174: [excel] Float custom field saved as String in XML-Excel export (atrol)
0025210: [reports] Script error in graphs (cproensa)
0025381: [api rest] Get project doesn't return all versions (atrol)
0025385: [ui] Summary page submenu not aligned when screen narrower than buttons (dregad)
0025386: [ui] Incorrect spacing between submenu and main div for some MantisGraph screens (dregad)
0025387: [ui] MantisGraph: redundant subtitle on Issue Trends page (dregad)
0025403: [documentation] $g_notify_new_user_created_threshold_min is ignored on new account creation (atrol)
0025408: [documentation] Minor documentation fixes (atrol)
0025429: [api rest] Undefined variable t_show_detailed_errors in API REST (dregad)
0025442: [db mssql] Wrong/duplicate bugnote_text_id in mantis_bugnote_table (cproensa)
0025466: [reports] SYSTEM NOTICE on graph pages (atrol)
0009757: [reports] View Issues - Select a Filter - Graph are not linked on this choice (cproensa)
0012261: [filters] Cannot filter by versions of parent project when child project selected (cproensa)
0020054: [administration] Cant modify configuration for All projects if only one project exists (cproensa)
0021931: [reports] Filtered Summary (cproensa)
0022099: [reports] Missing pie chart in "By Category Graphs" (cproensa)
0022100: [code cleanup] Take care of released/obsolete flag when accessing version_cache_array_rows() cache (cproensa)
0023245: [performance] project versions are not cached efficiently (cproensa)
0024821: [code cleanup] Wrong caching in version API (cproensa)
0025110: [authentication] Token error when login with a newly created user (cproensa)
0025102: [api rest] /api/rest/issues endpoint supposedly returns all issues, but doesn't (community)
0025133: [ui] Project selection is shown even if the user has no accesible projects (cproensa)
0025163: [reports] MantisGraph summary links don't hghlight current graph page (cproensa)
0025165: [reports] Summary doesn't honour issue access (dregad)
0025217: [ui] Enable selection of a range in checkboxes lists. (cproensa)
0025378: [ui] Provide sortable functionality to simple tables (cproensa)
0025400: [api rest] Allow adding/updating/deleting subprojects via REST API (community)
0025434: [email] check all/ uncheck all checkbox for email notifcation (cproensa)
0025446: [ui] 'show_queries_count' is a global setting, but 'show_memory_usage', 'show_timer' are not (atrol)
0025454: [ui] Page adm_config_report does not cache users and generate many database queries (cproensa)
0025455: [ui] Page adm_config_report, users in filter list are not correctly ordered (cproensa)
0025456: [sql] Page adm_config_report has queries missing db_param_push() (cproensa)
0025463: [attachments] Dropzone max-filesize option is not correct (cproensa)
0025464: [attachments] Enforce max-filesize in dropzone to alert and drop big files before form submission (cproensa)
0025465: [attachments] Dropzone preview does not work (cproensa)
0025515: [api rest] Simple and Advanced filters are not consistent for handling sub-project issues (cproensa)
0025522: [plug-ins] MantisGraph: limit number of slices in By Category pie chart (dregad)
0025524: [plug-ins] MantisGraph: improve display of By Category Bar chart (dregad)
0025532: [relationships] Error when adding a relationship if bug id contains whitespace as prefix or suffix (dregad)
0025533: [relationships] When adding multiple relationships, ignore source issue and empty issue ids (dregad)
0025572: [attachments] Redesign Dropzone file previews (cproensa)
64 issues View Issues
Released 2019-03-16

Maintenance release for 2.19.x series.

0025178: [security] Update ADOdb to 5.20.14 (dregad)
0025566: [email] PHPMailer regressions (dregad)
2 issues View Issues
Released 2019-03-16

Security and PHP compatibility fixes

0025180: [security] Update ADOdb from 5.20.9 to 5.20.14 for security and compatibility fixes (dregad)
1 issue View Issues
Released 2019-01-02
0024986: [api rest] Update Guzzle to 6.3.3 (dregad)
0024990: [email] Update PHPMailer to 6.0.6 (dregad)
0024987: [api rest] Update Slim Framework to 3.11.0 (dregad)
0024931: [signup] PHP warnings and errors when trying to signup existing user (atrol)
0024989: [bugtracker] Update ADOdb to 5.20.13 (dregad)
0021284: [installation] memory_limit test fails when memory_limit is set to -1 (atrol)
0023712: [authentication] auth_get_current_user_id can return strings while that is not expected (vboctor)
0024877: [bugtracker] IssueNoteAddCommand: reassign_on_feedback doesn't work if reporter is not specified (vboctor)
0024882: [relationships] relationship_can_resolve_bug function problem (atrol)
0024896: [authentication] Password managers don't work with password login page (cproensa)
0024925: [administration] Misleading Message in the creation of user (atrol)
0024932: [preferences] "Manage" menuitem visible even though no access (atrol)
0024976: [ui] Sidebar's collapsed state is not preserved (dregad)
0024988: [email] Update Disposable Email Checker to 3.1.0 (dregad)
0025002: [custom fields] Error when updating content in a custom field of type "Text Area" ("Textbereich"): History cannot be stored (atrol)
0025016: [bugtracker] Default projection is ignored (atrol)
0025033: [installation] Warning with PHP 7.3: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? (atrol)
0025042: [administration] Add some more information to view_user_page (atrol)
0025043: [code cleanup] Code Cleanup (atrol)
0025100: [plug-ins] Display header fails when no user is authentication and anonymous login is off (vboctor)
0025059: [administration] View User Page: hide footer at bottom of User Info table when not needed (dregad)
0025072: [filters] Could not use the FilterBugList filter with "Permalink" (community)
0025061: [authentication] Generic error is triggered when anonymous login is not defined (dregad)
0025099: [authentication] Auth plugins can't control session expiry time and disable perm login (vboctor)
0025116: [roadmap] Manage workflow thresholds does not have the option for "view roadmap" (cproensa)
0025112: [other] Link to create new user is a form and prevents reloading (cproensa)
26 issues View Issues
Released 2019-01-02
0024899: [filters] Filter assigned to shows <br /> (atrol)
0024985: [security] Update PHPMailer to 5.2.27 (dregad)
2 issues View Issues
Released 2019-01-02
0025129: [code cleanup] Remove usage of deprecated function __autoload (atrol)
0025131: [security] Update PHPMailer to 5.2.27 (dregad)
2 issues View Issues
Released 2018-10-17

Feature release

0024774: [tagging] Error Creating Issue with new TAG (vboctor)
0024822: [code cleanup] Code Cleanup (atrol)
0024741: [plug-ins] Plugin Columns - Export CSV or Excel - PHP 7.2.7 - crash error 500 - Reason missing 2 argument in call (dregad)
0010411: [bugtracker] Changes to project_view_state and view_state to create only private projects (vboctor)
0024520: [html] Missing fallback for "Open Sans" font (community)
0024823: [performance] Performance enhancements of string processing (atrol)
6 issues View Issues
Released 2018-10-16

Maintenance release for 2.17.x series.

0024814: [security] CVE-2018-17783: XSS in manage_filter_edit_page.php (atrol)
0024813: [security] CVE-2018-17782: XSS in manage_filter_page.php (atrol)
2 issues View Issues
Released 2018-09-25

Security fix for 2.17.x release

0024731: [security] CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php (dregad)
1 issue View Issues
Released 2018-09-04

Feature release

0012677: [administration] Please change a search option to manage users (atrol)
0024632: [tagging] Tag cannot be selected if a tag containing the text of that tag has already been selected (atrol)
0024616: [relationships] relationship visibility in different project permission (atrol)
0024633: [bugtracker] Late error message when trying to resolve issues (atrol)
0024635: [authorization] Wrong box visibility on My View page (atrol)
0020101: [api soap] mc_filter_search_issues can't filter by date (community)
0023336: [html] Inline image attachments should have their own container to prevent scrolling (atrol)
0023915: [administration] Search for a part of (Real Name - Username - Email) (atrol)
0024622: [api rest] Add function for creating a new project via REST (community)
0024624: [api rest] Add function for updating a project via REST (community)
0024636: [api rest] Add function to delete a project via REST API (vboctor)
0024643: [ui] bug_actiongroup and custom bug_actiongroup don't provide the same user experience when displaying error message (dregad)
0024644: [ui] Footer displays behind sidebar on bug_actiongroup.php (dregad)
0024696: [authorization] Custom fields can be changed without having update_bug_threshold access rights (atrol)
0024717: [api soap] Add filter for the “last updated“ date in the soap api (community)
0024719: [administration] Impersonate User is offered for disabled users (atrol)
16 issues View Issues
Released 2018-09-04

Maintenance release for 2.16.x series.

0024647: [security] CVE-2018-14895: XSS in bug_actiongroup.php (atrol)
1 issue View Issues
Released 2018-09-03

Maintenance release for 1.3.x series.

0024648: [security] CVE-2018-14895: XSS in bug_actiongroup.php (atrol)
1 issue View Issues
Released 2018-07-30

Feature release

0022083: [ui] Local copy of Open Sans font does not include Latin-ext characters (atrol)
0023978: [ui] Fonts are not rendered correctly in Windows clients (atrol)
0024416: [upgrade] Improve handling of unserialize errors when upgrading (dregad)
0023992: [ui] Font = Times News Roman after Upgrade from v2.7.0 (atrol)
0024501: [installation] MantisBT on Windows - Check for php_fileinfo.dll enabled on php.ini (atrol)
0024523: [performance] Unneeded information in Change Log and Roadmap (atrol)
0024552: [code cleanup] Code Cleanup (atrol)
0024553: [performance] Performance enhancement of config_get_global function (atrol)
0024564: [timeline] Missing display of events in Timeline if All Projects is selected (atrol)
0024578: [documentation] Documentation: PHP documentation link: "installation.php" -> "install.php" (dregad)
0024579: [documentation] Documentation: Admin Guide: Installation: Broken Link "Microsoft IIS", is now (dregad)
0021376: [upgrade] Error in upgrade process 1.2.17 --> 1.3.0 (dregad)
12 issues View Issues
Released 2018-07-30

Maintenance release for 2.15.x series.

0024580: [security] CVE-2018-13055: Reflected XSS in view filters page (dregad)
0024608: [security] CVE-2018-14504: XSS in edit filters page (atrol)
2 issues View Issues
Released 2018-06-05
0024437: [filters] Cannot save private filter if not allowed to save shared filter (community)
0024496: [wiki] URL encoding precludes reasonable wiki root_namespace values (community)
0024242: [bugtracker] Incorrect issue status setting when changing status (vboctor)
0024388: [api rest] Support create project versions via REST API (vboctor)
0024398: [tagging] Exception Missing Class (atrol)
0024432: [security] Update-Blocker:User-ID instead of Realname 0024139 as due to security policy requirements which prohibit IDs in mails and masks (atrol)
0024435: [filters] show_user_realname_threshold is not considered when sorting by reporter or handler (atrol)
0024436: [ui] Selecting users is not easy if show_realname is set to ON (atrol)
0024470: [other] System warning if $g_log_destination = 'page' when using PHP 7.2 (atrol)
0024462: [api soap] Error while querying for issue header with PHP 7.2 (atrol)
0024476: [performance] Unneeded &lt;meta&gt; tag in &lt;head&gt; section (atrol)
0024139: [ui] $g_show_realname for making usernames private (atrol)
12 issues View Issues
Released 2018-04-30
0024336: [administration] Plugin priority changed without being changed by user interaction (atrol)
0024192: [bugtracker] Update ADOdb to 5.20.12 (dregad)
0024236: [code cleanup] IssueAddCommand Prevents API Folder Removal (atrol)
0024174: [code cleanup] E_DEPRECATED error on php7.2: each() function (dregad)
0024196: [api rest] Update Slim Framework from 3.8.1 to 3.9.2 (vboctor)
0024197: [api rest] Update GuzzleHttp from 6.3.0 to 6.3.2 (vboctor)
0024220: [documentation] Wrong documentation of datetime_picker_format in Admin Guide (atrol)
0024325: [code cleanup] Code Cleanup (atrol)
0024326: [documentation] Wrong documentation of my_view_boxes in Admin Guide (atrol)
0024333: [api rest] Support getting a single project via REST API (vboctor)
10 issues View Issues
Released 2018-04-29

Maintenance release for 2.13.x series.

0024221: [security] CVE-2018-9839: Private issues accessible to unauthorized users using the "Clone" functionality (dregad)
0024233: [markdown] Markdown quoting rendered with broken HTML (atrol)
0024239: [email] Inconsistent realname display (atrol)
0024335: [api rest] Get all filter or specific filter returns incorrect information (vboctor)
0024343: [api rest] REST API returns too much info for default category handler (vboctor)
0024346: [api rest] Don't show category default handler for users that can't manage the project (vboctor)
0024349: [api soap] API method mc_filter_get does not work (vboctor)
0024353: [code cleanup] mb_internal_encoding no longer being set because of removal utf8 library (atrol)
0024355: [bugtracker] SYSTEM WARNING 'count(): Parameter must be an array or an object that implements Countable' in 'IssueNoteAddCommand.php (atrol)
9 issues View Issues
Released 2018-04-29

Security fixes release for 1.3.x series.

0024365: [security] CVE-2018-9839: Private issues accessible to unauthorized users using the "Clone" functionality (dregad)
1 issue View Issues
Released 2018-04-04

Maintenance release for 2.13.x release series.

0024202: [markdown] Broken rendering of @ mentions, # issue and ~ note links (atrol)
1 issue View Issues
Released 2018-04-04

Maintenance release for 2.12.x release series.

0024201: [markdown] Broken rendering of @ mentions, # issue and ~ note links (atrol)
1 issue View Issues
Released 2018-04-01

Feature release

0023998: [code cleanup] Implement IssueAddCommand and use it from SOAP, REST and Web UI (vboctor)
0023161: [timeline] Show File Attachment events in Timeline (dregad)
0024128: [administration] Unable to start system check or installation with wrong PHP version (atrol)
0024056: [custom fields] Custom Fields of type "Textarea" cannot contain more than 255 chars due to bug_history table (atrol)
0010853: [filters] In View Issues list, several columns are sorted by Id instead of display value (cproensa)
0021404: [filters] System Error on changing filters (dregad)
0016070: [email] Delay due to Mantis trying sending emails to non existent address (vboctor)
0023498: [filters] Filtering "note by" with "none" does not return any result (cproensa)
0007264: [filters] Not able to filter issues that have no relationship assigned (cproensa)
0008167: [filters] Filter settings saved when using Anonymous account (cproensa)
0008204: [filters] Filters not remembered when clicking through from "My View" (cproensa)
0022785: [api rest] Support adding attachments when reporting issues (vboctor)
0023214: [performance] Remove usage of outdated phputf8 library (atrol)
0023999: [code cleanup] Implement IssueDeleteCommand and use it from SOAP, REST, and Web UI (vboctor)
0024000: [api rest] Add Issue REST API doesn't trigger EVENT_REPORT_BUG_DATA plugin event (vboctor)
0024001: [api soap] Add Issue SOAP API doesn't trigger EVENT_REPORT_BUG_DATA plugin event (vboctor)
0024002: [api rest] Add Issue REST API doesn't trigger issue_create_validate custom function (vboctor)
0024003: [api soap] Add Issue SOAP API doesn't trigger issue_create_validate custom function (vboctor)
0024004: [api rest] Add Issue REST API doesn't trigger issue_create_notify custom function (vboctor)
0024005: [api soap] Add Issue SOAP API doesn't trigger issue_create_notify custom function (vboctor)
0024006: [api rest] Add Issue REST API doesn't trigger EVENT_REPORT_BUG plugin event (vboctor)
0024007: [api soap] Add Issue SOAP API doesn't trigger EVENT_REPORT_BUG plugin event (vboctor)
0024008: [api rest] Add Issue REST API doesn't add the issue to recent list (vboctor)
0024009: [api soap] Add Issue SOAP API doesn't add the issue to recent list (vboctor)
0013177: [filters] On ‘View Issues’ Page the filter does not allow user to select ‘blank’ ('No Category') Category (cproensa)
0021865: [filters] Filter out duplicated issues (cproensa)
0021867: [filters] Filter filed "relationships" resets its value when "duplicate of" is selected (cproensa)
0023476: [bugtracker] Can't login if admin directory has restricted access (atrol)
0023499: [filters] Filtering with "note by" shows results from private notes for unprivileged users (cproensa)
0023500: [filters] Search filter returns matches in private notes for unprivileged users (cproensa)
0023501: [filters] Filter "monitored by" does not have option for "none" (cproensa)
0023502: [filters] Filter "assigned to" does not account for configuration "view_handler_threshold" (cproensa)
0023504: [filters] Filter "monitored by" does not account for configuration "show_monitor_list_threshold" (cproensa)
0023506: [filters] Filter tags inconsitent with OR filter operator (cproensa)
0023538: [filters] Filter field for relationship bug id is set to -1 by default (cproensa)
0023549: [db mysql] Entering Emojis in comments with a user mention crashes with an error (atrol)
0024042: [filters] filter on relationships mistuned by switching sort order (cproensa)
0024089: [authentication] POST request to login_password_page.php return 405 when admin folder is deleted or access restricted (atrol)
0024140: [filters] Application error 401: "ORDER BY clause is not in SELECT list" when sorting by category or project (cproensa)
0022376: [documentation] Wrong documentation of string customization (atrol)
0024158: [bugtracker] Support providing a default value for issue description (vboctor)
0024159: [documentation] $g_default_bug_steps_to_reproduce not documented (vboctor)
0024160: [documentation] $g_default_bug_additional_info not documented (vboctor)
43 issues View Issues
Released 2018-04-01

Maintenance release for 2.12.x

0024077: [timeline] Hyperlink usernames in timeline to user page (vboctor)
0024090: [ui] Username (Realnames) format not showing on timeline (my_view_page) (vboctor)
0024186: [security] CVE-2018-1000162: XSS vulnerability in Parsedown library (dregad)
       0024297: [security] Update Parsedown library to 1.7.1 (dregad)
0024167: [bugtracker] History entries display realname instead of username (atrol)
0024097: [ui] Account page required change password on any field modification (atrol)
0024161: [timeline] Wrong color of username in timeline (atrol)
7 issues View Issues
Released 2018-03-04

Feature release

0023375: [mentions] It is hard to @ mention users when show realnames is enabled (vboctor)
0010493: [code cleanup] Non-existent duplicate_realname column is updated by various functions in user_api.php (vboctor)
0022509: [mentions] users with dashes in their name will not work when @mentioned (example @r-frank) (community)
0023960: [plug-ins] EVENT_AUTH_USER_FLAGS should always be passed username rather than name (vboctor)
0023961: [timeline] Identify Timeline tags operations with a specific icon (dregad)
0023966: [code cleanup] Option session_handler not implemented (atrol)
0023969: [performance] Minor performance and code enhancements of config functions (atrol)
0024020: [localization] Update supported languages (siebrand)
0024043: [ldap] $g_ldap_realname_field generates WARNING: field 'givenName' does not exist. (community)
9 issues View Issues
Released 2018-02-11

Maintenance release for 2.11.x series.

0023954: [api rest] REST API doesn't work from UI for some users (vboctor)
0023955: [administration] Warning message on login page (atrol)
2 issues View Issues
Released 2018-02-07

Feature release

0023942: [bugtracker] Remove deprecated "errcontext" parameter from standard error handler (dregad)
0023838: [api rest] Create user via REST API (vboctor)
0023925: [security] Site path leakage in error handler (vboctor)
0023837: [code cleanup] Implement UserCreateCommand to create users (vboctor)
0023706: [administration] trigger_error() with errors must terminate scripts rather than being config based (vboctor)
0023754: [code cleanup] Remove unused function print_bracket_link and code cleanup (atrol)
0023758: [ui] Allow users to select font family that fits them best (syncguru)
0023876: [installation] Running admin/check fails (dregad)
0023900: [administration] Unable to update user access level, due to check on 'Realname' returning KO (APPLICATION ERROR #807) (vboctor)
0023776: [attachments] Support adding attachments that were not uploaded via the browser (vboctor)
0023899: [api rest] Relationship type was localized in GET issue API (vboctor)
0023714: [api rest] Failing REST API requests should include Mantis error code and localized message (vboctor)
0023762: [api rest] Support adding users to monitor an issue via REST API (vboctor)
0023772: [api rest] Support attachments when adding notes via REST API (vboctor)
0023773: [api rest] Support time tracking when adding notes via REST API (vboctor)
0023780: [api rest] Return status code 429 when hitting spam check limits (vboctor)
0023784: [api rest] REST and SOAP API send two email notifications for mentioned users (vboctor)
0023785: [api rest] Adding notes via SOAP and REST API with time tracking uses incorrect access check (vboctor)
0023786: [code cleanup] Implement IssueNoteDeleteCommand for deleting notes (vboctor)
0023787: [administration] Protected admin users can't be unprotected (atrol)
0023830: [security] Update PHPMailer to 5.2.26 (dregad)
0011327: [reports] "Developer By Resolution" is the only box in the Summary page not ordered (at least it doesn't seem to be any logic behind it) (dregad)
0012978: [code cleanup] Summary - Time Stats For Resolved Issues (days) (dregad)
0022792: [api rest] Support downloading issue attachments (vboctor)
0023627: [feature] Summary page enhancement with bugs ratio support (dregad)
0023774: [code cleanup] Implement IssueNoteAddCommand to share code for adding notes (vboctor)
0023796: [reports] Filter links for resolved/closed custom statuses in Summary By Status report are incorrect (dregad)
0023828: [api rest] Support adding attachments to existing issues via REST API (vboctor)
0023839: [code cleanup] Implement UserDeleteCommand for deleting users (vboctor)
0023840: [api rest] Delete user via REST API (vboctor)
0023854: [reports] Summary: always show the "By Project" box (dregad)
0023855: [code cleanup] Implement TagAttachCommand for attaching tags (vboctor)
0023856: [code cleanup] Implement TagDetachCommand to detach tags (vboctor)
0023857: [api rest] Add REST API to attach a tag (vboctor)
0023858: [api rest] Add REST API to detach a tag (vboctor)
0023863: [reports] Summary: Reporter and Developer by Resolution miss a Total column (dregad)
0023865: [code cleanup] Implement IssueRelationshipAddCommand to add relationships (vboctor)
0023866: [api rest] Support adding relationships via REST API (vboctor)
0023867: [code cleanup] Implement IssueRelationshipDeleteCommand (vboctor)
0023868: [api rest] Support deleting issue relationships via REST API (vboctor)
0023898: [api rest] Some relationships are not formatted correctly in GET issue rest API (vboctor)
0023775: [attachments] Remove obsolete code that checks if PHP file info API is defined (vboctor)
0023926: [ui] Footer displayed under sidebar on error page when $g_show_detailed_errors = ON (dregad)
0023930: [installation] Make Fileinfo a mandatory PHP extension (atrol)
0023944: [bugtracker] The stack trace on detailed error page should not include the error handler itself (dregad)
0023943: [bugtracker] Improve detailed error page layout (dregad)
46 issues View Issues
Released 2018-02-07

Bug fix and security release for 2.10.x series.

0023746: [api soap] unable to create a bug with customfields via SOAP (vboctor)
0023765: [api rest] Wrong constructor name in class FilterConverter (atrol)
0023924: [relationships] Resolving as duplicate does not add reporter and handler to monitoring list of duplicate issue (atrol)
0023906: [security] CVE-2018-6403: XSS in adm_config_report.php 'value' parameter (dregad)
4 issues View Issues
Released 2018-02-07

Security release for 1.3.x series.

0023918: [security] CVE-2018-6403: XSS in adm_config_report.php 'value' parameter (dregad)
1 issue View Issues
Released 2017-12-30

Feature release

0023710: [code cleanup] Remove usage of deprecated function __autoload (vboctor)
0022789: [api rest] Support retrieving user defined filters (vboctor)
0009007: [time tracking] Billing summary does not include sub-projects (community)
0022790: [api rest] Support standard filters defined by the system when retrieving issues (vboctor)
0023679: [administration] Limit change of impersonation threshold to global config (atrol)
0023690: [api rest] Support deleting filters (vboctor)
0023722: [time tracking] Don't print time tracking buttons and export links (community)
0023723: [time tracking] Support configurable default billing rate (community)
0023724: [time tracking] Removed useless collapse icon with duplicated title in billing report (community)
0023742: [html] Broken url for MantisBT logo in admin section (community)
0023753: [ui] UI of Update Produkt Build page broken (atrol)
11 issues View Issues
Released 2017-12-30

Bug fix release for 2.9.x series

0021393: [administration] When disable "Update an issue", then "Assign to" become access denied (vboctor)
0022093: [administration] Reporter can´t change status of a bug (vboctor)
0023719: [administration] The reporter can not solve or close the issue (vboctor)
0023721: [bugtracker] PHP error in change status page when user doesn't have access to private notes (vboctor)
4 issues View Issues
Released 2017-12-04

Feature release

0012602: [custom fields] Default value for a date don't work (vboctor)
0023573: [code cleanup] Unneeded code for option meta_include_file (atrol)
0023640: [code cleanup] Usage of deprecated each() function (atrol)
0023639: [code cleanup] Unneeded code for non supported old PHP versions (atrol)
0023654: [api rest] Don't validate handler when updating issues without updating handler (vboctor)
0023658: [plug-ins] UI for protected plugins broken (atrol)
0023577: [api rest] REST APIs don't enforce required custom fields when reporting issues (vboctor)
0023578: [documentation] Document need for consistency between "normal" and "datepicker" date formats (dregad)
0019482: [custom fields] Using custom fields (date) with default value and required on resolve displays an error (vboctor)
0023466: [db mysql] database is not supported by PHP. Check that it has been compiled into your server. (atrol)
0023572: [code cleanup] Unneeded code for unsupported database types (atrol)
0023575: [api rest] Category lookup is case sensitive (vboctor)
0023579: [api rest] Internal Server Error 500 when category doesn't exist (vboctor)
0023594: [custom fields] Reporting an issue with default date {now} that is not visible doesn't work (vboctor)
0023616: [api rest] Support exporting issue history (vboctor)
0023620: [api rest] PHP error on getting issues when user doesn't have access (vboctor)
0023625: [code cleanup] Function require_lib contains code to search in vendor folder (atrol)
0023626: [performance] Unneeded code executed when retrieving global settings (atrol)
0023630: [administration] Some check boxes on Manage Configuration > Workflow Threshold page are not centered (community)
0023645: [other] No preview of ANSI encoded text files that contain German Umlauts (atrol)
0023648: [api rest] Leverage ETag headers when getting issues (vboctor)
0023650: [api rest] Leverage If-Match when deleting issues (vboctor)
0023653: [api rest] Leverage If-Match when updating issues (vboctor)
0023657: [api soap] mc_issue_update returns bug is read only on status update (atrol)
0023576: [api rest] Issues created via REST API with date custom fields fail (vboctor)
0023692: [authentication] Token API does not work with config show show_realname (dregad)
26 issues View Issues
Released 2017-12-04

Bug fix and security release for 2.8.x series.

0023599: [bugtracker] Access denied when updating bugs (atrol)
1 issue View Issues
Released 2017-12-04

Security release for 1.3.x series.

0023561: [api soap] mc_project_get_issues_for_user() is retrieving issues in the authorization context of target user (vboctor)
1 issue View Issues
Released 2017-10-29

Feature release including fixes and new features including REST API issue updates and DKIM support for email signing. This release is the first to have REST API enabled by default.

0023446: [performance] Unneeded files delivered if Mantis Graphs plugin is enabled (atrol)
0023474: [custom fields] Empty numeric fields should be display as empty rather than 0 (community)
0023555: [ui] Bugnote text area not styled correctly when private by default (vboctor)
0023560: [bugtracker] Notes added via change status / edit always market private when private by default (vboctor)
0023396: [api rest] REST API Issue update support (vboctor)
0023451: [performance] Unneeded code delivered to support unsupported IE9 (atrol)
0023460: [ui] Useless UI element on manage_proj_page (atrol)
0023475: [custom fields] Empty float fields should be displayed as empty rather than 0 (community)
0023477: [api soap] Updating issues via APIs should trigger email notifications (vboctor)
0023483: [bugtracker] Auto-refresh shouldn't update last visited (atrol)
0023488: [code cleanup] Usage of deprecated constant (atrol)
0023494: [html] Wrong class name for tags output (atrol)
0023517: [administration] Remove unused config option inline_file_exts (community)
0013126: [plug-ins] Add plugin event EVENT_BUG_ACTIONGROUP_FORM (cproensa)
0016133: [custom fields] Numeric field accepts floats and displays them as numeric (vboctor)
0021225: [bugtracker] resolving parent issues inconsistency (community)
0022441: [bugtracker] Notes are not in the correct order after cloning an issue (cproensa)
0022842: [code cleanup] Remove php_version_at_least() function from PHP API (dregad)
0023493: [email] DomainKeys Identified Mail (DKIM) Signatures (community)
0023503: [bugtracker] Handler user is visible even if view_handler_threshold is configured to not allow (cproensa)
0023516: [api rest] Enable REST API by default (vboctor)
0023518: [bugtracker] "show_assigned_names" configuration is not applied correctly in view_all_bug_page (cproensa)
0023528: [filters] Filter "advanced" mode is reset after sorting through column headers (cproensa)
0023537: [api rest] Facilitate troubleshooting REST API by displaying detailed errors (dregad)
0023543: [email] Update PHPMailer to v5.2.25 (vboctor)
0023542: [code cleanup] Force composer to honor PHP compatibility advertised for MantisBT (vboctor)
26 issues View Issues
Released 2017-10-28

Maintenance release for 2.7 series.

0023507: [authentication] Users can't change their password when it is blank (dregad)
0023512: [html] Custom field type checkbox with required status, force to check all checkboxes to proceed (atrol)
0023544: [installation] Unattended upgrade is broken after moving to Composer (vboctor)
3 issues View Issues
Released 2017-10-08

A feature release that includes both functional and performance improvements.

0023378: [installation] Installation fails when using old but still allowed PHP version 5.3 (atrol)
0022310: [html] Use HTML5 "required" attribute for required form fields (community)
0023395: [db oracle] Performance issue reading config table with oracle database (cproensa)
0009120: [custom fields] Numeric Custom fields on View All don't sort correctly (atrol)
0023324: [performance] Generated css, js code should be cached by browser (cproensa)
0023323: [reports] Wrong filter links on summary page (atrol)
0023381: [code cleanup] Unneeded code for unsupported PHP versions (atrol)
0023420: [relationships] Resolving as duplicate adds reporter and handler to monitoring list (atrol)
0023225: [authentication] Token API does not work with config show show_realname (dregad)
0022872: [ui] Make some buttons visible only when hovering on relevant container (cproensa)
0023251: [timeline] Timeline in view user page resets the user id after dates navigation (cproensa)
0021654: [code cleanup] Deprecate access_has_any_project() (cproensa)
0022870: [ui] buttons without separation (cproensa)
0022871: [ui] print_form_button() does not render inline buttons (cproensa)
0023216: [tagging] Make tag view threshold work at project level (cproensa)
0023242: [code cleanup] Function project_get_local_user_access_level() is redundant (cproensa)
0023248: [ui] Project selection dropdown focus on current selection (cproensa)
0023267: [ui] Misplaced "Reset Prefs" button in user prefs with narrow screen (dregad)
0023301: [api rest] Request an issue in the REST API fail without warning if an enumeration is missing. (community)
0023310: [performance] Unused CSS delivered (atrol)
0023331: [code cleanup] New user_get_username() API function (dregad)
0022182: [ui] Burger menu is sometimes visible without functionality (cproensa)
0022492: [ui] Regression: Resolved/Closed issues are not shown with a line-through (strike-through) (community)
0023264: [api rest] Custom fields not been saved when adding issue through the Rest API (community)
0023268: [db oracle] Error filtering custom fields of type date (cproensa)
0023311: [filters] "View issues" on changelog page does not show closed issues (atrol)
0023367: [plug-ins] Add no-op upgrade step in plugin_upgrade() (dregad)
0023382: [customization] Login logo image not configurable by css (cproensa)
0023393: [administration] Provide some basic operating environment information on manage_overview_page (atrol)
0023411: [performance] Unneeded string copies in general text processing (atrol)
0023425: [reports] PHP errors and warnings when running Issue Trend report (atrol)
0021913: [tagging] Unprivileged user can see related tags from private issues (cproensa)
0022053: [plug-ins] Implement logging functionality for plugins (cproensa)
0022245: [ui] Collapsed menu entry no clickable in complete visible area (atrol)
0023241: [filters] Error when changing sort order in filters, due date field only (cproensa)
0023243: [ui] Narrow space between checkbox/radio button and label (dregad)
0023249: [feature] When logging the caller function, also print the class name if it's a class method (cproensa)
0023377: [other] Textarea custom field entry missing from email (atrol)
0023436: [filters] Editing a stored filter can't update projects property (cproensa)
0023443: [custom fields] Fixes related to custom fields on filters, columns and visibility (cproensa)
       0005713: [custom fields] Custom fields of subprojects are shown in filter for "All projects" but not in parent project. (cproensa)
       0006872: [custom fields] Sort of custom fields does not use data type (cproensa)
       0016358: [filters] Custom field filter does not recusrively read all items from sub-projects (cproensa)
       0016359: [filters] Custom field filters does not take user access rights into account (cproensa)
       0019385: [filters] Filtering custom field show bugs from projects where this custom field has been removed (cproensa)
       0023223: [filters] Custom fields filter does not account for read access at project level (cproensa)
       0023232: [filters] Custom field is showed in filter when the user has not view access (cproensa)
       0023233: [custom fields] Issues returned by filter has linked custom fields that are not available as columns (cproensa)
       0023260: [custom fields] Custom fields of type date are not sorted correctly (cproensa)
       0023265: [custom fields] Filter selection for numeric custom fields aren't sorted correctly on distinct values list (cproensa)
       0023266: [custom fields] Filter selection for numeric custom fields show values not coherent with custom field type (cproensa)
51 issues View Issues
Released 2017-09-03

A feature release that includes both functional and performance improvements.

0023202: [ui] Questionable order and functionality of top buttons on "View Issue" page (atrol)
0022984: [ui] Calendar doesn't show the correct date the first time it opens (dregad)
0022730: [ui] 'Manage Configuration' tab usually does not highlight (dregad)
0022813: [customization] Field is appearing in email notification but not used in UI. (joel)
0022967: [ui] Questionable display of "Access Denied" on view_user_page (atrol)
0022981: [ui] Display of hardcoded string on view_user_page if e-mail address is empty (atrol)
0022987: [code cleanup] Replace hardcoded language strings by translatable ones (dregad)
0023061: [ui] print_manage_menu() does not highlight active plugin pages (dregad)
0023116: [html] Due date field not displayed correctly when editing ticket (community)
0023141: [html] Unused CSS delivered (atrol)
0012313: [attachments] Can't open image attachments in browser windows (dregad)
0022913: [email] Update disposable-email-checker to v3.0.1 using Composer (vboctor)
0022939: [code cleanup] Use Parsedown library v1.6.2 via Composer (vboctor)
0022940: [code cleanup] Update PHPMailer from 5.2.22 to 5.2.24 and use Composer (dregad)
0023087: [filters] Removing "Report an issue" permission removes user from Monitoring filter dropdown (atrol)
0023150: [html] Unused code and unused CSS delivered for obsoleted functionality (atrol)
0023159: [ui] Graph display is too faint and blurred (atrol)
0021807: [ui] The required fields are not explicitly visible when updating, resolving or closing an issue (community)
0023143: [api rest] Support adding notes via REST API (vboctor)
0022158: [time tracking] Time tracking report excludes issues with no category assigned (cproensa)
0022919: [time tracking] Time Tracking "auto count" is giving the wrong elapsed time (dregad)
0023112: [custom fields] Custom fields badly filtered when multi-projects (cproensa)
0023131: [api rest] /api/rest/projects doesn't return child projects (vboctor)
0023139: [api rest] Notes returned by /issues REST API have incorrect timestamps (vboctor)
0023144: [api rest] Support issue id as part of the path for REST API (vboctor)
0023145: [api rest] Support deleting notes via REST API (vboctor)
0023184: [bugtracker] AJAX calls with invalid endpoints fail with syntax error (dregad)
0023187: [email] Update PHPMailer v5.2.23 to v5.2.24 (vboctor)
0023188: [bugtracker] Update GuzzleHttp from 6.2.3 to 6.3.0 (vboctor)
0023189: [markdown] Update Parsedown 1.6.2 to 1.6.3 (vboctor)
0023190: [code cleanup] Update PhpUnit from 4.8.35 to 4.8.36 (vboctor)
0023191: [time tracking] Unable to access time tracking reports (atrol)
0023204: [performance] Unused and inefficient code in function layout_print_sidebar (atrol)
0023227: [ui] When specifiying top_buttons display, the button on update screen has no styling. (atrol)
0023237: [performance] Project cache is not efficient with navbar project selection. (cproensa)
0012444: [bugtracker] bug_actiongroup_page, on copy, & move, poject combo lists projects wich the user has no rights (cproensa)
0021695: [ui] "notify user" check should be moved outside the form (cproensa)
0022291: [time tracking] Issue history box is narrower than other boxes above it on View Issue page (cproensa)
0022469: [time tracking] Enabling Time Tracking distorts View Issue Details page layout. (cproensa)
39 issues View Issues
Released 2017-09-03

Security fixes release for 2.5.x series.

0023146: [security] CVE-2017-12061: XSS in /admin/install.php script (dregad)
0023166: [security] CVE-2017-12062: XSS in manage_user_page.php (atrol)
0023179: [security] Login page no longer warns about 'admin' directory being present (dregad)
0023181: [administration] Checks on login page are never executed if "admin" dir does not exist (dregad)
0023185: [security] Improve doc and notifications when admin dir is present (CVE-2017-12419) (dregad)
5 issues View Issues
Released 2017-09-03

Security fixes release for 1.3.x series.

0023175: [security] CVE-2017-12061: XSS in /admin/install.php script (dregad)
0023186: [security] Improve doc and notifications when admin dir is present (CVE-2017-12419) (dregad)
2 issues View Issues
Released 2017-06-17

Maintenance release that fixes installation failure.

0022985: [installation] Initial installation does not continue after clicking install (dregad)
1 issue View Issues
Released 2017-06-04

Feature release with main focus on REST API improvements, some of the fixes also applies to the SOAP API.

0022765: [api rest] Implement a test framework for REST API (vboctor)
0022850: [ui] Installation page layout and style issues (dregad)
0022766: [api rest] Enum name should reflect non-localized enum name and label for localized name (vboctor)
0022767: [api rest] Include status color in status enum value for issues (vboctor)
0022768: [api rest] Support retrieving issues based on filter or a project (vboctor)
0022769: [api rest] Note type should be note instead of timelog if time tracking is not accessible to user (vboctor)
0022770: [api rest] Change version from string to an object (vboctor)
0022771: [api rest] Due date access check should be based on project access level rather than global one (vboctor)
0022772: [api rest] Don't return eta info if feature is disabled (vboctor)
0022773: [api rest] Don't return projection info if feature is disabled (vboctor)
0022774: [api rest] Some access denied errors don't show user info correctly (vboctor)
0022775: [api rest] Rename date_submitted to created_at and last_updated to updated_at (vboctor)
0022776: [api rest] Sticky flag should be a boolean rather than a string (vboctor)
0022777: [api rest] Don't return sponsorship_total (vboctor)
0022778: [api rest] Don't allow setting version to an undefined version (vboctor)
0022779: [api rest] Don't return profile information if feature disabled (vboctor)
0022780: [api rest] Don't return platform, os, and os_build if disabled (vboctor)
0022782: [api rest] Don't return target_version if user doesn't have access to view roadmap (vboctor)
0022783: [api rest] Return 400 instead of server side error if summary, description or project fields are missing (vboctor)
0022788: [api rest] Support retrieving projects accessible to users (vboctor)
0022808: [api rest] Use GuzzleHttp for http requests (vboctor)
0021871: [performance] Improve db_fetch_array performance (cproensa)
0021994: [attachments] issue with attachments cannot be moved between projects with different upload directories (uploads saved in file system) (dregad)
0022809: [api rest] Upgrade Slim Framework from 3.7.0 to latest (3.8.1) (vboctor)
0022851: [installation] Installer should display sample table names based on table prefix/suffix settings (dregad)
0022852: [localization] [de] Incorrect label in German "Change status" form (atrol)
0022865: [code cleanup] Login page displays a PHP system notice when using BASIC_AUTH (dregad)
0022864: [code cleanup] phpdoc for 'print_link_button' has incorrect order of parameters (cproensa)
0022868: [other] PHP variable misspelt in html_api.php (dregad)
0022904: [db mssql] database_api: db_insert_id returns string not int (mssql) (dregad)
0022905: [code cleanup] The URL of the return button in breadcrumbs div has a trailing '?' (dregad)
0022925: [time tracking] Time Tracking - issue (atrol)
0022928: [administration] $g_anonymous_account is case sensitive, preventing normal users from logging in (vboctor)
0022933: [timeline] Confusing entry in timeline when removing other users from monitoring list (atrol)
34 issues View Issues
Released 2017-06-04
0022923: [authentication] Logout page on authentication plugins never gets called (community)
0022926: [custom fields] Custom Fields - Date: Field does not show date (view.php), shows other text (vboctor)
0022937: [custom fields] Custom fields of type Email are not properly displayed (vboctor)
0022950: [custom fields] Custom Fields of Type Text showing Link (Url) as Text only (vboctor)
4 issues View Issues
Released 2017-05-20

MantisBT maintenance release for 2.4.x.

0022428: [markdown] CSV and Excel exports with markdown on (vboctor)
0022906: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
0022909: [security] CVE-2017-7620: CSRF - Arbitrary Permalink Injection (dregad)
0022867: [markdown] Markdown formatting is broken for notes column on View Issues page (vboctor)
4 issues View Issues
Released 2017-05-20

MantisBT maintenance release for 2.3.x

0022907: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
0022908: [security] CVE-2017-7620: CSRF - Arbitrary Permalink Injection (dregad)
2 issues View Issues
Released 2017-05-20

MantisBT maintenance and security release for 1.3.x.

0020168: [db schema] Use of 'mantis' as plugin table prefix prevents plugin's installation (dregad)
0022702: [security] CVE-2017-7620: CSRF - Arbitrary Permalink Injection (dregad)
0022816: [security] CVE-2017-7620: Open redirection vulnerability in /login_page.php (dregad)
3 issues View Issues
Released 2017-04-30
0022635: [time tracking] Empty notes with time tracking show as empty notes for users that can't view time tracking (vboctor)
0022452: [ui] Create new project button (community)
0021558: [ui] log destination for page produces messed output (syncguru)
0022665: [documentation] Wrong documentation of option bug_resolution_fixed_threshold (atrol)
0022689: [bugtracker] HTTP_X_FORWARDED_PROTO is not honored when loading Gravatar (vboctor)
0022744: [signup] Signup is not working on (vboctor)
0022740: [performance] Allowed memory size of 268435456 bytes exhausted (vboctor)
0004235: [authentication] Support Generic Authentication through Plug-ins (vboctor)
0022140: [administration] Getting error dialog when reporting issues and file upload is disabled (cproensa)
0022673: [attachments] Dropzone uploads files when submitting other forms (cproensa)
0022762: [api rest] Bug in error handling when user doesn't have access level to handle issue (vboctor)
11 issues View Issues
Released 2017-04-29
0022742: [security] CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php) (dregad)
0022743: [timeline] Timeline "More Events" button also acts as "Next" button (dregad)
0022746: [authentication] Lost password redirects to login page if email address is empty and anonymous access is disabled (vboctor)
3 issues View Issues
Released 2017-04-16

Security and maintenance release

0022700: [localization] Due Date in bug_change_status_page.php (cproensa)
0022653: [filters] Regression: Filter by date broken (cproensa)
0022739: [security] CVE-2017-7615: Account verification page allows resetting any user's password (dregad)
3 issues View Issues
Released 2017-04-16

Security release

0022738: [security] CVE-2017-7615: Account verification page allows resetting any user's password (dregad)
1 issue View Issues
Released 2017-04-16

Security release

0022690: [security] CVE-2017-7615: Account verification page allows resetting any user's password (dregad)
1 issue View Issues
Released 2017-03-31

Feature release including security fixes and our brand new experimental REST API. The REST API can be extended by plugins and power web UI ajax features. In this release the REST API is disabled by default (expect for calls from within the web UI using cookie authentication) – see 0022598 for more details.

0022583: [attachments] Open PDFs in the browser rather than downloading them (vboctor)
0022582: [relationships] Relationships box layout is not right for reporters (vboctor)
0022585: [timeline] Show timeline for specific user (cproensa)
0022507: [ui] On Edit Filter page, 'Filter name' input field is too narrow (dregad)
0022445: [ui] Manage users page does not show filters '0'-'9' as selected (atrol)
0022474: [administration] "Obsolete configuration" warnings when running admin checks (atrol)
0022499: [documentation] Document reuse of language strings (dregad)
0022501: [ui] Enhance layout of "View Issue Details" page (atrol)
0022505: [ui] Enhance layout of "Updating Issue Information" (atrol)
0022506: [attachments] Error updating project document (atrol)
0022423: [html] ID attribute for bugnote_text (community)
0022541: [localization] Enhance wording in manage_config_email_page.php and manage_config_work_threshold_page.php pages (atrol)
0022548: [ui] Remove unnecessary 'center' class from textarea in bugnote edit page (community)
0022571: [html] Add ID attribute for bugnote_text textarea (community)
0022572: [documentation] Wrong default value in documentation of "g_show_version" (atrol)
0021552: [ui] My account preferences: move project list outside the form (cproensa)
0022543: [ui] Open images in the browser rather than download them (vboctor)
0022473: [plug-ins] Avatars should respect image aspect ratio (community)
0022590: [ui] Broken javascript and missing footer in My View Page (cproensa)
0022593: [plug-ins] Broken Snippet plugin (vboctor)
0022598: [api rest] REST API Framework (vboctor)
       0022599: [code cleanup] Use composer to pull in dependencies (vboctor)
       0022600: [api rest] Enable plugins to publish their own REST APIs (vboctor)
       0022601: [api rest] Support using REST API from Web UI Javascript (vboctor)
       0022602: [api rest] Provide a sandbox for interacting with REST API using Swagger UI (vboctor)
0022617: [code cleanup] Unneeded CSS file calendar-blue.css (atrol)
26 issues View Issues
Released 2017-03-31

Security fixes and maintenance release

0022545: [markdown] Markdown still converting '& amp;' to & and '& lt;' to < (dregad)
0022392: [filters] Sorting all bugs list using a column header after applying a filter resets the filter (cproensa)
0022496: [filters] Permalink does not work with "Note By" (cproensa)
0022566: [filters] Filter error due to "view status" having an array value (cproensa)
0022555: [filters] Regression in custom field sorting (cproensa)
0022613: [security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
0022615: [security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
0022333: [markdown] Markdown starts heading in the middle of a line (joel)
8 issues View Issues
Released 2017-03-31

Security fixes release

0022063: [db mssql] Installation on MSSQL fails at step 209 (dregad)
0022568: [security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
0022579: [security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
0022208: [db mssql] File upload to MS-SQL not working (dregad)
4 issues View Issues
Released 2017-03-30

Security release

0022612: [security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
0022614: [security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
2 issues View Issues
Released 2017-03-21

Maintenance and Security release for 2.2 series

0022562: [security] CVE-2017-6973: XSS in adm_config_report.php (dregad)
1 issue View Issues
Released 2017-03-21

Maintenance and Security release for 2.1 series

0022564: [security] CVE-2017-6799: XSS in view_filters_page.php (dregad)
0022565: [security] CVE-2017-6973: XSS in adm_config_report.php (dregad)
0022563: [security] CVE-2017-6797: XSS in bug_change_status_page.php (dregad)
3 issues View Issues
Released 2017-03-21

Maintenance and Security release for 1.3 series

0022537: [security] CVE-2017-6973: XSS in adm_config_report.php (dregad)
0022468: [other] Resolution changes in some cases when closing issues (atrol)
2 issues View Issues
Released 2017-03-11

Maintenance release for 2.2 series including security fixes.

0022246: [markdown] Markdown is converting '&' signs to (ampersand[amp;]) inside code block or backtick as well (joel)
0022497: [security] CVE-2017-6799: XSS in view_filters_page.php (dregad)
0022561: [security] CVE-2017-6797: XSS in bug_change_status_page.php (dregad)
0022442: [printing] System error when opening Print reports (dregad)
0022479: [administration] Can't edit a project's name changing only accents a on MySQL (dregad)
0022510: [installation] Attempting to connect to database as admin BAD despite valid userid and password (dregad)
6 issues View Issues
Released 2017-02-26

A feature release that includes all fixes from 2.1.1 release listed above, some setup fixes, status colors visibility improvements, shed some unnecessary js/css and multiple improvements for relationships feature.

0021881: [javascript] Remove jquery-ui is not longer used in Modern UI (syncguru)
0022256: [javascript] Unbundle JS libraris from Ace theme files (syncguru)
0022401: [installation] Installer displays horizontal blue line under "Checking installation" section header (dregad)
0022361: [relationships] Trigger notifications on related issues when an issue is deleted (vboctor)
0022400: [installation] Installer does not show "GOOD" status for DB connections (dregad)
0021796: [ui] inline attachments should be directly visible (dregad)
0021724: [ui] Improve visibility of status colors (syncguru)
0008313: [relationships] More work needs to move to Relationship APIs (vboctor)
0016933: [relationships] Deleting relationship should set target bug's last updated (vboctor)
0021619: [code cleanup] Use constants instead of hardcoded values for filter view types (dregad)
0021897: [ui] Unaligned color coding of status (syncguru)
0022273: [javascript] Enable CDN support for dropzone.js (syncguru)
0022296: [code cleanup] Options in $g_public_config_names are not sorted (atrol)
0022316: [code cleanup] Duplicate code to display the filter view type toggle menu item (dregad)
0022360: [relationships] relationship_add() doesn't return bug relationship information (vboctor)
0022362: [relationships] Use bin icon instead of 'delete' button to delete relationships (vboctor)
0022363: [relationships] Setting a duplicate id should update relationship with target issue if already exists (vboctor)
17 issues View Issues
Released 2017-02-26

A maintenance release for 2.1.x series

0022302: [filters] Permalink does not work with tags (cproensa)
0022266: [security] CVE-2017-7222: Sanitize window title (vboctor)
0022288: [bugtracker] Due date current value doesn't show in change status form (syncguru)
0022326: [time tracking] g_time_tracking_without_note has no effect (vboctor)
0022347: [filters] Filter allows to sort on non sortable fields (cproensa)
0022359: [ui] Enhance filter box UI (syncguru)
0022369: [filters] Recently Modified box on View Issues page does not display closed issues (cproensa)
7 issues View Issues
Released 2017-02-01

Maintenance release for 2.0.x series.

0022114: [tools] Travis builds should reflect supported PHP versions (dregad)
0022107: [plug-ins] EVENT_MENU_MAIN does not support relative paths (dregad)
0022157: [installation] Incorrect Error Message on MSSQL installation (atrol)
0022168: [webpage] HTTPS for powered by-link (atrol)
0022230: [news] PHP system notice on News page (vboctor)
5 issues View Issues
Released 2017-01-30

MantisBT 2.1.0 feature release

0021935: [filters] Filter api refactoring, manage stored filters (cproensa)
       0006823: [filters] Date filter should work with "last update", too (community)
       0021618: [code cleanup] Duplicate code to determine the default view type (cproensa)
       0006732: [administration] Sorting issue lists isn't stable (each sort scrambles previous sort) (cproensa)
       0008626: [filters] Filter forgets custom date filtering (cproensa)
       0017852: [filters] Tags is showing on its own row in filter box (cproensa)
       0021031: [filters] Rewrite the filter box form (cproensa)
       0021032: [filters] Setting $g_filter_custom_fields_per_row to other than default can cause empty cells in filter box (cproensa)
       0021592: [filters] Unknown column 'mantis_bug_table.tags' (cproensa)
       0021827: [filters] Displaying date filter values : month always displayed in text (english) (community)
       0003803: [filters] Provide a way to update a saved filter (cproensa)
       0006042: [filters] Switching to "Advanced Filters" hides "Hide Status" and ignores setting (cproensa)
       0006551: [customization] Manage custom filters (cproensa)
       0007708: [feature] Feature: multiple sorting of problem informations (cproensa)
       0011007: [filters] After setting $g_view_filters = ADVANCED_ONLY in config_inc.php can still end up in simple filter mode. (cproensa)
       0020493: [filters] Wrong hide_status value on column sorting (cproensa)
       0020624: [filters] Filter shown inconsistent after changing from advanced to simple (cproensa)
       0020882: [filters] Filter by date inputs are shown disabled (cproensa)
       0021029: [bugtracker] Trigering a DEPRECATED error from the page body fails (cproensa)
       0021044: [performance] my view page, $t_hide_status_default consitency (cproensa)
       0021811: [filters] Advanced filter shows icorrect fields (cproensa)
       0009213: [filters] manage filter (cproensa)
       0009301: [filters] Add support for updating a current filter (cproensa)
       0018045: [ui] Changed ordering of fields on View Issues page (cproensa)
       0019700: [filters] Filters table on the view_all_bug_page.php shows empty lines when $g_enable_profiles is set to OFF (cproensa)
       0021814: [filters] plugin filter fields dont work with dynamic input (cproensa)
0022175: [markdown] Markdown converting '<' within backticks to & lt; (joel)
0005731: [feature] search function for projects (vboctor)
0021551: [administration] Manage Users pagination loses filter letter (community)
0022209: [bugtracker] Adding a custom field to a project makes the filter for this project unusable (atrol)
0011604: [change log] Versions marked as obsolete appear on change log page (vboctor)
0022164: [markdown] Font for quoted string in markdown is too large (joel)
0022172: [markdown] Markdown not displaying single line breaks (joel)
0022113: [localization] integration updates (dregad)
0022169: [attachments] File upload not working when $g_allowed_files is set (atrol)
0022171: [plug-ins] Redefine plugin version requirements (dregad)
0022179: [markdown] Markdown is eating apostrophe / single quote (joel)
0022204: [markdown] News headlines are parsed with markdown, though they should not be (vboctor)
0022205: [plug-ins] Specifying plugin authors as array triggers 'Array to string conversion' (dregad)
0022206: [plug-ins] Improve documentation for plugins (dregad)
0022221: [documentation] Documentation: update 'Database tables' section (dregad)
0022232: [email] Email verbose notifications should be OFF by default (vboctor)
0022237: [code cleanup] Remove references to 'register_globals' (dregad)
0022239: [ui] checkbox for personal setting "E-mail Full Issue Details" still using old style (dregad)
0017920: [markdown] Native markdown support (joel)
0022131: [timeline] Remove yellow background in timeline date range (dregad)
46 issues View Issues
Released 2016-12-30
0021841: [installation] Minimum requirements for 2.x releases (dregad)
0020040: [security] Replace jscalendar by a newer widget (syncguru)
0022059: [ui] Missing leading zeroes in due date display (dregad)
0021927: [administration] System utilities page for moving attachments should support move all attachments (joel)
0021925: [ui] Incorrect text for the remove file button in the file upload dropzone (dregad)
0021965: [documentation] Section Admin Guide: Misaligned row in Table (dregad)
0022064: [javascript] datetime picker does not work if 'cdn_enabled' is ON (community)
0021962: [ui] Due Date calendar icon wraps below the field (syncguru)
8 issues View Issues
Released 2016-11-26

The second release candidate for 2.0.0 release. This release includes all the fixes in 1.3.4 release.

0021758: [administration] System utilities page for moving attachments not styled correctly in modern ui (joel)
0021840: [html] Add missing closing <div> in layout_api.php (syncguru)
0021854: [authentication] Re-authenticating when visiting manage page should re-use login page (vboctor)
0021861: [ui] Remove black bar from login page when it is empty (vboctor)
0021815: [code cleanup] print_button() has changed definition from v1.3 (cproensa)
5 issues View Issues
Released 2016-10-30

We are excited to share with you a milestone for the 2.0.0 release by releasing the first release candidate. We encourage users to try out and give us feedback. Since 2.0.0-rc.1 and 1.3.3 share the same database schema, it should be easy to try them out side by side. Download it now or check it out at

0021727: [attachments] Show attachments inline with notes (vboctor)
0021651: [security] Dropzone has inline scripts in View Issue page (syncguru)
0021806: [attachments] Attachment dropzone missing from notes when user doesn't have access to set view state (vboctor)
0021829: [email] Fix $g_mail_priority disabling and default to disabled (vboctor)
0021669: [security] Charts have inline scripts (syncguru)
0021715: [mobile] Menu and buttons missing for mid size browser window (syncguru)
0021722: [attachments] Issues with '+' button to view attachments inline (dregad)
0021736: [ui] Display real name in breadcrumb div (atrol)
0021743: [attachments] Attach files dropzone is not working (vboctor)
0021754: [mobile] Main navigation has no action / does not expand when clicked on (syncguru)
0021794: [mobile] Hide 'View Issues' buttons on small screens (syncguru)
0021805: [javascript] Javascript errors on login page (community)
12 issues View Issues
0020102: [ui] Support switching saved filters and free text search when filter box is collapsed (syncguru)
0021697: [ui] Clearer distinction between private and public notes (joel)
0021684: [ui] Account verify page layout broken (joel)
0021121: [ui] Project selection not usable with large number of projects (syncguru)
0021681: [ui] Breadcrumbs bar does not respect $g_show_realname (dregad)
0021603: [code cleanup] Publish full source code of ACE template (syncguru)
0021653: [reports] Graphs broken (vboctor)
0021682: [ui] "Operation successful" confirmation message partially hidden (dregad)
0021683: [ui] Standardize "operation successful" messages (dregad)
0021689: [code cleanup] Obsolete icon_path configuration (atrol)
0021710: [ui] Incorrect display on Bug report confirmation page (dregad)
0021704: [ui] Report Stay checkbox shows broken layout on action page (dregad)
0021721: [ui] Missing tooltips on issue id (dregad)
0021723: [bugtracker] Redirect to report page when creating a new issue with "report stay" checked (dregad)
0021726: [ui] Page bottom displayed behind Sidebar in API Tokens page (community)
0021728: [performance] Unneeded tooltip information on Summary page (dregad)
16 issues View Issues
0021642: [ui] Highlight due date when the date has passed (syncguru)
0021112: [performance] Unneeded tooltip information on "My View" page (syncguru)
0021650: [security] Content-Security-Policy is disabled in 2.0.0-beta.1 (vboctor)
0021111: [localization] Language strings contain double quotes (syncguru)
0021114: [ui] Manage users page action buttons appears on 2 rows when showing 'Unused' (syncguru)
0021117: [ui] Plugin dependencies are no longer color-coded (syncguru)
0021119: [ui] Wrong alignment of field on "Summary" page (syncguru)
0021123: [ui] Waste of vertical space on "My View" page (syncguru)
0021137: [ui] Questionable display of sub-projects in project menu bar (syncguru)
0021139: [ui] Display of file type icon broken on print_bug_page (syncguru)
0021223: [ui] "Report Issue" button on top toolbar should be hidden for VIEWER/anonymous users (vboctor)
0021224: [ui] Login and Signup buttons in top header don't work for anonymous users (vboctor)
0021397: [plug-ins] Plugin menu options don't show in main menu (vboctor)
0021398: [ui] My Account - Manage Columns actions page broken (syncguru)
0021400: [ui] Collapse settings are not saved by modern UI (syncguru)
0021405: [wiki] Wiki integration broken (vboctor)
0021414: [customization] Config menu options don't show in main menu (vboctor)
0021575: [reports] Graphs for enums (e.g. status) can break when an enum has 0 occurences (vboctor)
0021599: [ui] The test results in Admin Check results are no longer colored (dregad)
0021602: [administration] Admin: "Upgrade your installation" shown even when schema is up-to-date (syncguru)
0021609: [news] Page broken after updating news (atrol)
0021622: [administration] Alert messages are not styled correctly (syncguru)
0021638: [ui] Tables in Workflow Transitions page seems deformed (syncguru)
0021644: [ui] Don't offer "My Account" in menu when being logged in as protected user (dregad)
0021647: [filters] New to restyle 'filter deleted' page (vboctor)
25 issues View Issues

MantisBT 2.0.0 release focuses on improvements to the UI compared to 1.3.x release. As of this release, the db schema is the same between 1.3.x and 2.0.0-beta.1, enabling users to easily try 2.0.0-beta.1 and provide feedback.

0021214: [bugtracker] Update jQuery to 2.2.4 (community)
0020240: [ui] Footer issue: problem + solution (syncguru)
0008503: [feature] Have "send reminder" as a button rather than a not so visible link at the top of the issue (atrol)
0021115: [ui] Manage users page always shows filter '0' as selected (dregad)
0021140: [db schema] Remove DB2 support (atrol)
0020907: [ui] Report stay doesn't work in modern UI (vboctor)
0005851: [reports] X-Labels truncated in by Category Graph (vboctor)
0006663: [reports] I'm seeing three JPGraph-related problems (vboctor)
0007342: [reports] synthesis graphs by category: many "big" categories hide pie by legend (vboctor)
0007343: [reports] synthesis graphs by category: page not long enough for legend with a lot of categories (vboctor)
0007991: [reports] Graphs not centered (vboctor)
0010403: [reports] The legend on JPGraph graphs overlays the graph (vboctor)
0012159: [reports] By Developer, By Reporter and By date graph problems (vboctor)
0012384: [reports] Graph text being truncated (vboctor)
0012483: [reports] Jp graph not dispalying (vboctor)
0012725: [reports] Solution to "font file not readable/does not exist" seems not to work for JPGraph (vboctor)
0012825: [reports] Modern graphs using javascript graphing library (vboctor)
0012967: [reports] Category jpGraph not displayed (vboctor)
0013097: [reports] Graphs not working (vboctor)
0013160: [reports] Labels on x-axis in summary graphs too small and cropped (ezcLibrary) (vboctor)
0013879: [reports] Graph plugin uses hard coded font list; ignores any other (vboctor)
0014232: [reports] Advanced summary bad display (vboctor)
0015246: [reports] JPGraph 3.5.x anti aliasing error in Ubuntu (vboctor)
0017493: [reports] Graphs are not working out of the box (vboctor)
0021134: [relationships] Use of undefined constant when displaying relationship graphics (atrol)
0021177: [reports] Jpgraph doesn't work (vboctor)
0011671: [reports] 3 graphs couldnot display in the page of 'summary_jpgraph_page.php' (vboctor)
0017919: [ui] Modernize Mantis UI (syncguru)
0020286: [javascript] Missing JavaScript libraries (syncguru)
0020118: [ui] pen icon ancient (syncguru)
0020182: [custom fields] wrong field name for custom field parameter (syncguru)
0021130: [tagging] Usage of undefined function html_page_bottom (syncguru)
0021131: [signup] Usage of undefined functions in verify.php (vboctor)
0021215: [bugtracker] Update FontAwesome to 4.6.3 (community)
0021216: [bugtracker] Upgrade Bootstrap to 3.3.6 (community)
0021217: [bugtracker] Use cross origin anonymous and check integrity when loading form CDN (community)
0021221: [ui] Fully localize drag and drop to attach (community)
0021220: [ui] Lost password form doesn't have labels or placeholder text (vboctor)
0021222: [ui] Drag and drop should honor 'allowed_files' config option (community)
0019590: [attachments] Attach via drag-and-drop (syncguru)
0021279: [administration] Fix error when going to Manage - Workflow Transitions and clicking update (vboctor)
41 issues View Issues