Alf.io 2.0-M4-2301 (2023-01-14)
Security fixes
- CVE-2023-0300 (low severity) - Self-inflicted XSS
- CVE-2023-0301 (low severity) - Prevent organizers to insert dangerous link within their event description
please note that both security fixes are related to the Backoffice application. The "public" application was not impacted.
thanks to @huntr-helper contributors!
Improvements
- Organization APIs at system level #1083 (sponsored by Eventplane)
- API for linking Subscriptions to an Event #1087 (sponsored by Eventplane)
Bug fixed
- Cannot search reservation by invoice number #1090
- Remove button should not be displayed for checked-in tickets #1093
- Various errors when selecting / deselecting the payment method #1100
- Error on "Confirmed" items on the Additional services page #1108
- Stripe API not working as expected #1159 (thanks to @icougil for reporting it and for helping us debugging it)