Skip to content

9.5.4

Compare
Choose a tag to compare
@trasher trasher released this 02 Mar 13:38
· 403 commits to 9.5/bugfixes since this release

This is a security release, upgrading is recommended

Note: those are medium security issues.
Some are present since a long time (version 0.68), but this time none of these issues were considered as high/critical.

Download it

Non exhaustive list of changes:

  • [security] Horizontal Privilege Escalation (CVE-2021-21326)
  • [security] entities switch IDOR (CVE-2021-21255)
  • [security] XSS injection in ajax/kanban (CVE-2021-21258)
  • [security] XSS injection on ticket update (CVE-2021-21314)
  • [security] Stored XSS on documents (CVE-2021-21312)
  • [security] XSS on tabs (CVE-2021-21313)
  • [security] Stored XSS in budget type (CVE-2021-21325)
  • [security] Unsafe Reflection in getItemForItemtype() (CVE-2021-21327)
  • [security] Insecure Direct Object Reference (IDOR) on "Solutions" (CVE-2021-21324)
  • Handle RFC5987 format in Content-Disposition header
  • Fix email attachement decoding logic
  • Fix tickets ID fetching from email headers
  • Fix graph counts
  • Add search filter criteria for widget by year
  • New filter ‘my groups’
  • Populate meta criteria in a generic way
  • Make custom css from entity inheritables
  • and more!

See changelog for details.