OTOBO Release Notes

OTOBO 10.0.19 – a security patch

05 October 2023


  • XSS Vulnerability: Fixed a vulnerability enabling attackers with permission to create customer users (AdminCustomerUser) to inject JS Code.
  • Header Injection: Fixed a vulnerability which facilitated – in systems with activated web services, only – a header injection via those webservices.

Thanks to Tim Püttmann (maxence) for reporting those issues.

Criticality: Medium


Also new in OTOBO 10.0.19

  • [Enhancement]   Added an optional leeway for times when checking OpenID connect auth data.
  • [Bugfix] Fixed a bug requesting customers to change their password whenever an agent had changed customer data via AdminCustomerUser.
  • [Bugfix] Corrected use of the option 'AuthSyncModule::LDAP::GroupDN'.
  • [Bugfix]   Fixed a bug which prevented using dynamic fields with Elasticsearch. Thanks to wetzf for the Pull Request.
  • and more.

Please update your system.