OTOBO Release Notes

OTOBO 10.1.6 – a security patch

20 December 2022


  • SQL Injection: Wir fixen eine Schwachstelle, die es Angreifern ermöglichte über die Webservice-Operation “TicketSearch” SQL-Code einzuschleusen.
    CVE-2022-4427, Severity: 6.5. MEDIUM
  • JS Injection: Fixed a vulnerability in the admin interface enabling attackers with OTOBO admin permissions to inject JS Code

Thanks to Tim Püttmann (maxence) for reporting those issues.

Criticality: Medium

Also new in OTOBO 10.1.6 - bigfixes and minor updates

  • [Bugfix]   Appointment notifications are now sent when IsVisibleForCustomer is set
  • [Bugfix]   Korrektur der “Gedruckt von”-Informationen beim Drucken von Unternehmenstickets in der CustomerTicketOverview. Statt des Ticketbesitzers wird nun die Person angegeben, die den Druck ausgelöst hat.
  • [Bugfix] Fixed hidden filters for Medium and Preview (TicketOverview)
  • [Bugfix] Optimised style options for images in the CKEditor. Pictures added to the signature can now correctly be formatted
  • [Bugfix] Stopped running BasePassword preapplication modules for AjaxAttachment action. Prevents a rare bug with AjaxAttachments not working.
  • [Bugfix] Corrected migration.pl setting for Package::RepositoryRoot. Always reset package repository root during migration.
  • [Bugfix] CustomerFrontend::Navigation###ExternalURLJump###1 was impossible to enable [Enhancment] Created new docker file otobo.kerberos.web.docker
  • [Enhancement] Created a new docker file otobo.kerberos.web.docker
  • [Bugfix] Sender display name was not always quoted. Fixed a rare case where email adresses were not interpreted correctly.
  • [Bugfix] Redirect from HTTP did not honor OTOBO_WEB_HTTPS_PORT
  • [Enhancement] Added a script to solve utf8 / utf8mb3 problems to debug a special migration problem.
  • [Enhancement] Fixed issues with ConfigurationDeploySync for scenarios using S3 storage
  • [Bugfix] Generic Agent now persistently sets SendNoNotification for all following Events. In some cases notifications were not sent when events were triggered by generic agents.
  • [Enhancement] Avoid high CPU load in SystemConfigurationOutOfSyncCheck notification
  • [Bugfix] CLOB colums are now base64 decoded when migrating from Oracle to MariaDB
  • [Bugfix] Do not check source db name in oracle migration.
  • Fixed the Perl 5.34 shmwrite problem in OTOBO 10

Please update your system.