MantisBT 2.25.5 Security and maintenance release fixing vulnerabilities with SVG files attachments (CVE-2022-33910), which are now disabled by default; instances with a custom $g_disallowed_files should add svg to the list. Support for PHP 5.6 has been restored, fixing the regression introduced in 2.25.4. 0029135: [security] CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection (dregad) … Continue reading "MantisBT 2.25.5 released"
