This 2.13.0 release fixes multiple security issues (see below). All issues fixed in this release are subject to public disclosure on September 1, 2022. Please make sure to update your systems in time.
We would like to thank khanhchauminh for responsibly disclosing and assisting with the fixing this security issue.
What's Changed
- CVE-2022-36028 - Severity: Moderate Value of return_to cookie is now checked to ensure it is a Greenlight url (#3631)
- CVE-2022-36029 - Severity: High Sessions are now expired if the password is changed (either through forget password or profile) (#3096)
- Removed JQuery UI which was using a version with known vulnerabilities (#3783)
- Multiple gem updates (#3615, #3653, #3686, #3688)
- Language updates