OTOBO Release note
OTOBO 10.0.10 – Security Patch
21 April 2021
Security-related:
- OTOBO 10.0.10 is fixing a critical security issue, which made it possible for attackers to tap data in the ticket overview by way of an XSS attack using a manipulated email. Thanks to the Znuny team for sharing the issue and providing the fix (ZSA-2021-06; Criticality: high).
- JQuery-Validate update to 1.19.3., fixing a security issue enabling ReDoS attacks (CVE-2021-21252; criticality: low)
Also new:
- New language: Sinhala
- New: Individual settings in the customer interface.
This feature is activated by default. You can deactivate it in the SysConfig via CustomerFrontend::Module###CustomerPreferences. - New: Kerberos SSO is now available in Docker, too.
- New default password settings – users can now change their passwords by default. Please check your password settings in PreferencesGroups###Password and CustomerPreferencesGroups###Password
- Changed the CustomerUserTimeZone-Check notification module in the customer interface – customer users without a set time zone no longer get a notification by default. Please activate CustomerFrontend::NotifyModule###7-CustomerUserTimeZone-Check, if you want to prompt your customer users to define a time zone.
- More bugfixing in the migration, especially in handling PostgreSQL and Oracle databases.
- Elasticsearch – added a way to fully migrate customer users to Elasticsearch where an LDAP backend poses restrictions on the amount of simultaneous data transferred.
- Ticket state: The new setting Ticket::Frontend::CustomerTicketZoom###StatePreset enables to define a default pre-setting for systems, in which customer users are allowed to change the ticket state.
Please update as soon as possible.