This release fixes three XSS vulnerabilities. Those vulnerabilities only impacts shared BTCPay instances.
Special thanks to Ajmal "@B3EF" Aboobacker and Abdul "@b1nslashsh" muhaimin for finding them who contacted us through @huntrdev.
See 1, 2 and 3.
Bug fixes:
- Use CSP to prevent future XSS attacks. (#2856, #2863) @NicolasDorier
- Fix XSS vulnerabilities in summernote, the rich text editor (#2859) @dennisreimann
- The page could crash if the user clicks too many time on Notificate 'Mark as Seen' @NicolasDorier
- Fix plugins page crashing @Kukks
- Fix page crash of the perk editor in the crowdfund settings when the title is not set @dennisreimann
- Do not generate payment methods when 0 amount invoice (#2776)
- When using the BTCPay Vault, some hardware wallet types were considered unknown @NicolasDorier