SECURITY ADVISORY
- VERÖFFENTLICHUNGSDATUM:
- RELEASE-TYP:
- KRITIKALITÄT:
- BETROFFENE VERSIONEN:
- October 9, 2024
- Security Patch Release
- LOW
- OTOBO 11.0
Description
Enhancements
- [Security] Automatically end active sessions for (customer) users upon password change, to enable proactive termination of sessions e.g. on other machines. [#3440]
- [Security]: Removed a possibility for ReDos attacks by removing special handling of some MS classes in articles. Thanks to Emin Yazi (Efflux) [#3853]
- [Security]: Prevention of some js injection possibilities for the OTOBO admin. Thanks to Tim Puettmanns (maxence) [#3764]
- [Enhancement] If possible add a notice to the log when undefined elements are used in stats to support debugging [#3792]
- [Enhancement] Add possibility to migrate from OTRS 7 to OTOBO 10.1 [#3360]
- [Enhancement] Added ticket priority to CustomerTicketCategories [#3831]
- [Enhancement] ‘Type’ has been translated in ticket informations [#3686]
- [Enhancement] Enhance Dev::Tools::Database::RandomDataInsert to insert attachments [#3772]
- [Enhancement] Added translations to: Norwegian, Japanese, Arabic (Saudi Arabia), German, Spanish (Mexico), Ukrainian – thanks to all contributors
- [Change] Dynamic field types which can be used as lens attribute fields have been restricted [#3795]
- [Change] Moved console commands for ImportExport from ImportExportTicket to OTOBO – it is recommended to first update the package and then OTOBO [#3797]
- [Revision] The CKEditor5 integration has been extensively revised. This includes fixing the resizing of the editor area in Safari. In addition, some SysConfig options have been corrected. “(Customer)Frontend::RichText::DefaultCSS” is now empty by default and can be used to make specific changes to customer and agent articles. For larger general styling adaptions of the richtext please either use a different css file and set it under “(Customer)Frontend::RichTextArticleStyles” or adapt the existing one. In some cases it might be necessary to empty your browser cache after the update.
- [Style] Scroll bar redesign for some browser/os combinations. [#2680]
- [Style] Redesigned long dynamic field labels [#3806]
Next steps
Update to OTOBO 11.0.6
We recommend that you fix the vulnerabilities and benefit from the latest improvements. Please update your system.
Bug Fixes
- [Bugfix] Tickets closed via AgentTicketQuickClose will now be assigned to the closing user. [#3559]
- [Bugfix] AgentTicketMove will correctly adhere to ACLs restricted to this Action. [#3644]
- [Bugfix] Fixed an error in template state preselection. [#3848]
- [Bugfix] Do not skip storing values for hidden fields in process activities, even if they would also be “hidden” via ACLs [#3846]
- [Bugfix] AdminTranslations removes leading empty spaces after saving the translation. [#3728]
- [Bugfix] Performance issue for building country lists [#3780]
- [Bugfix] The option for wrapping in CKEditor5 entries has been restored. [#3571]
- [Bugfix] The default position of tiles in the customer dashboard has been corrected to prevent tiles from overlapping when the screen width is reduced. [#3859]
- [Bugfix] Setting dynamic fields of the type checkbox and richtext to read-only is now respected in the frontend (UI). [#3516]
- [Bugfix] Fix TreeView for Queue Selections using sub AgentQueueListOption. [#3685]
- [Bugfix] Restricted DF reference does not work with lenses. [#3770]
- [Bugfix] DF Checkbox has issues being used as lens attribute field. [#3808]
- [Bugfix] Quick Date Buttons (+1 day, +1 week) are not translated. [#3783]
- [Bugfix] The arrangement of the article overview is now static and will not change (Ticket::Frontend::ZoomExpandSort). [#3711]
- [Bugfix] DynamicField Reference Agent: Empty value didn’t work. [#3719]
- [Bugfix] Dynamic Field (DF) of the type Reference (to any object) with the settings Dropdown + Multi Value (Multivalue) + Empty Value generated errors. [#3730]
- [Bugfix] Fixed DynamicField Namespace sysconfig. [#3704]
- [Bugfix] Fixed the emptying of the name field when saving a dynamic field of type Script to which a namespace was assigned. [#3701]
- [Bugfix] Fix script dynamic fields post value set behaviour (e.g. history and TicketDynamicFieldUpdate event). [#3689]
- [Bugfix] Improve handling of CustomTranslations package in DBUpgrade to 11.0. [#3680]
- [Bugfix] DynamicField of type ‘Richtext’ is now working in process masks. [#3678]
- [Bugfix] Fixed a couple of unit test failures [#3856]
- Various minor fixes and improvements
We’d be happy to clarify your questions. Contact us.
As a support customer, you require assistance with the security patch. Please contact us through your access in the support portal.
Downloads
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
