OTOBO Release Notes

OTOBO 10.0.17 – a security patch

20 December 2022


  • SQL Injection: We fixed a vulnerability anabling attackers to inject SQL code in the webservice operation TicketSearch. CVE-2022-4427, Severity: 6.5. MEDIUM
  • JS Injection: Fixed a vulnerability in the admin interface enabling attackers with OTOBO admin permissions to inject JS Code
  • Admin Interface: Fixed a vulnerability enabling attackers with OTOBO admin permissions to inject code via ACLs

Thanks to Tim Püttmann (maxence) for reporting those issues.

Criticality: Medium

Außerdem neu in OTOBO 10.0.17

  • [Bugfix]   Appointment notifications are now sent when IsVisibleForCustomer is set
  • [Bugfix] CLOB colums are now base64 decoded when migrating from Oracle to MariaDB
  • Fixed the Perl 5.34 shmwrite problem in OTOBO 10
  • [Tidied]   Updated JavaScript libraries
    Careful: Mind our notes on handling manual changes to Loader::Agent::CommonJS###000-Framework and Loader::Customer::CommonJS###000-Framework (see below).
  • [Bugfix]   Fixed SMIME for newer openssl versions.
  • [Bugfix] Fixed a Bug in LDAP groups to OTOBO roles synchronization

Please update your system.

Notes on changed SysConfig options in OTOBO 10.0.17


As in OTOBO 10.1, several Javasript libraries have been updated with this patch.
They are defined in the SysConfig options "Loader::Agent::CommonJS###000-Framework" and "Loader::Customer::CommonJS###000-Framework".

In case you changed these options manually in the SysConfig (which we do NOT recommend), it will not be possible to automatically update them.

In this case, please note down your changes, reset your settings, run the update and manually adapt the option again, if needed.