OTOBO Release note

OTOBO 10.0.10 – Security Patch

21 April 2021

Security-related:

• OTOBO 10.0.10 is fixing a critical security issue, which made it possible for attackers to tap data in the ticket overview by way of an XSS attack using a manipulated email. Thanks to the Znuny team for sharing the issue and providing the fix (ZSA-2021-06; Criticality: high).
• JQuery-Validate update to 1.19.3., fixing a security issue enabling ReDoS attacks (CVE-2021-21252; criticality: low)

Also new:

• New language: Sinhala
• New: Individual settings in the customer interface.
  This feature is activated by default. You can deactivate it in the SysConfig via CustomerFrontend::Module###CustomerPreferences.
• New: Kerberos SSO is now available in Docker, too.
• New default password settings – users can now change their passwords by default. Please check your password settings in PreferencesGroups###Password and CustomerPreferencesGroups###Password
• Changed the CustomerUserTimeZone-Check notification module in the customer interface – customer users without a set time zone no longer get a notification by default. Please activate CustomerFrontend::NotifyModule###7-CustomerUserTimeZone-Check, if you want to prompt your customer users to define a time zone.
• More bugfixing in the migration, especially in handling PostgreSQL and Oracle databases.
• Elasticsearch – added a way to fully migrate customer users to Elasticsearch where an LDAP backend poses restrictions on the amount of simultaneous data transferred.
• Ticket state: The new setting Ticket::Frontend::CustomerTicketZoom###StatePreset enables to define a default pre-setting for systems, in which customer users are allowed to change the ticket state.

Please update as soon as possible.