OTOBO Release Notes
OTOBO 10.0.19 – a security patch
05 October 2023
Security-related:
- XSS Vulnerability: Fixed a vulnerability enabling attackers with permission to create customer users (AdminCustomerUser) to inject JS Code.
- Header Injection: Fixed a vulnerability which facilitated – in systems with activated web services, only – a header injection via those webservices.
Thanks to Tim Püttmann (maxence) for reporting those issues.
Criticality: Medium
Also new in OTOBO 10.0.19
- [Enhancement] Added an optional leeway for times when checking OpenID connect auth data.
- [Bugfix] Fixed a bug requesting customers to change their password whenever an agent had changed customer data via AdminCustomerUser.
- [Bugfix] Corrected use of the option 'AuthSyncModule::LDAP::GroupDN'.
- [Bugfix] Fixed a bug which prevented using dynamic fields with Elasticsearch. Thanks to wetzf for the Pull Request.
- and more.
Please update your system.
