OTOBO Release Notes

OTOBO 10.1.8 – a security patch

05 October 2023


  • XSS Vulnerability: Fixed a vulnerability enabling attackers with permission to create customer users (AdminCustomerUser) to inject JS Code.

Thanks to Tim Püttmann (maxence) for reporting this issue.

Criticality: Medium



Also new in OTOBO 10.1.8

  • [Enhancement]   Added an optional leeway for times when checking OpenID connect auth data.
  • [Translation]   Translations added in Arabic (Saudi Arabia), French, German, Japanese, Norwegian, Polish, Russian.
  • [Bugfix] Fixed a bug requesting customers to change their password whenever an agent had changed customer data via AdminCustomerUser.
  • [Bugfix] Corrected use of the option 'AuthSyncModule::LDAP::GroupDN'.
  • [Bugfix]   Fixed a bug which prevented using dynamic fields with Elasticsearch. Thanks to wetzf for the Pull Request.
  • [Bugfix]   Hided the reply button in CustomerTicketZoom for closed tickets to which no follow-ups are allowed.
  • [Bugfix]  Beheben eines Fehlers in der SysConfig, der die Funktionsweise von Schlüsseln mit ### im Frontend einschränkte.
  • and more.

Please update your system.