OTOBO Release Notes
OTOBO 10.1.6 – a security patch
20 December 2022
- SQL Injection: We fixed a vulnerability anabling attackers to inject SQL code in the webservice operation TicketSearch.
CVE-2022-4427, Severity: 6.5. MEDIUM
- JS Injection: Fixed a vulnerability in the admin interface enabling attackers with OTOBO admin permissions to inject JS Code
Thanks to Tim Püttmann (maxence) for reporting those issues.
Criticality: Medium (5.6)
Also new in OTOBO 10.1.6 - bigfixes and minor updates
- [Bugfix] Appointment notifications are now sent when IsVisibleForCustomer is set
- [Bugfix] Print company ticket in CustomerTicketOverview showed wrong „printed by“ information. The person printing instead of the ticket owner is now shown
- [Bugfix] Fixed hidden filters for Medium and Preview (TicketOverview)
- [Bugfix] Optimised style options for images in the CKEditor. Pictures added to the signature can now correctly be formatted
- [Bugfix] Stopped running BasePassword preapplication modules for AjaxAttachment action. Prevents a rare bug with AjaxAttachments not working.
- [Bugfix] Corrected migration.pl setting for Package::RepositoryRoot. Always reset package repository root during migration.
- [Bugfix] CustomerFrontend::Navigation###ExternalURLJump###1 was impossible to enable [Enhancment] Created new docker file otobo.kerberos.web.docker
- [Enhancement] Created a new docker file otobo.kerberos.web.docker
- [Bugfix] Sender display name was not always quoted. Fixed a rare case where email adresses were not interpreted correctly.
- [Bugfix] Redirect from HTTP did not honor OTOBO_WEB_HTTPS_PORT
- [Enhancement] Added a script to solve utf8 / utf8mb3 problems to debug a special migration problem.
- [Enhancement] Fixed issues with ConfigurationDeploySync for scenarios using S3 storage
- [Bugfix] Generic Agent now persistently sets SendNoNotification for all following Events. In some cases notifications were not sent when events were triggered by generic agents.
- [Enhancement] Avoid high CPU load in SystemConfigurationOutOfSyncCheck notification
- [Bugfix] CLOB colums are now base64 decoded when migrating from Oracle to MariaDB
- [Bugfix] Do not check source db name in oracle migration.
- Fixed the Perl 5.34 shmwrite problem in OTOBO 10
Please update your system.