Released 2020-09-25

Security release including 3 CVEs. Many thanks to d3vpoo1 (https://gitlab.com/jrckmcsb) for identifying most of the issues.

  • 0027268: [security] Admin can get issues assigned to users not allowed to handle them (dregad)
  • 0027039: [security] CVE-2020-25781: Access to private bug note attachments (dregad)
  • 0027275: [security] CVE-2020-25288: HTML Injection on bug_update_page.php (dregad)
  • 0027276: [security] Send reminder to viewer (dregad)
  • 0027283: [security] Admin can set viewer as a tag creator (dregad)
  • 0027284: [plug-ins] Priority can override to any positive integer (dregad)
  • 0027299: [code cleanup] Remove code duplication in File API (dregad)
  • 0027303: [code cleanup] When processing categories, it is not necessary to know the project id (dregad)
  • 0027304: [security] CVE-2020-25830: HTML Injection in bug_actiongroup_page.php (dregad)
9 issues View Issues