OTOBO Release note

OTOBO 10.0.10 – Security Patch

21 April 2021


  • OTOBO 10.0.10 is fixing a critical security issue, which made it possible for attackers to tap data in the ticket overview by way of an XSS attack using a manipulated email. Thanks to the Znuny team for sharing the issue and providing the fix (ZSA-2021-06; Criticality: high).
  • JQuery-Validate update to 1.19.3., fixing a security issue enabling ReDoS attacks (CVE-2021-21252; criticality: low)

Also new:

  • New language: Sinhala
  • New: Individual settings in the customer interface.
    This feature is activated by default. You can deactivate it in the SysConfig via CustomerFrontend::Module###CustomerPreferences.
  • New: Kerberos SSO is now available in Docker, too.
  • New default password settings – users can now change their passwords by default. Please check your password settings in PreferencesGroups###Password and CustomerPreferencesGroups###Password
  • Changed the CustomerUserTimeZone-Check notification module in the customer interface – customer users without a set time zone no longer get a notification by default. Please activate CustomerFrontend::NotifyModule###7-CustomerUserTimeZone-Check, if you want to prompt your customer users to define a time zone.
  • More bugfixing in the migration, especially in handling PostgreSQL and Oracle databases.
  • Elasticsearch – added a way to fully migrate customer users to Elasticsearch where an LDAP backend poses restrictions on the amount of simultaneous data transferred.
  • Ticket state: The new setting Ticket::Frontend::CustomerTicketZoom###StatePreset enables to define a default pre-setting for systems, in which customer users are allowed to change the ticket state.

Please update as soon as possible.