This is a security release, upgrading is recommended
Note: those are medium security issues.
Some are present since a long time (version 0.68), but this time none of these issues were considered as high/critical.
Non exhaustive list of changes:
- [security] Horizontal Privilege Escalation (CVE-2021-21326)
- [security] entities switch IDOR (CVE-2021-21255)
- [security] XSS injection in
ajax/kanban
(CVE-2021-21258) - [security] XSS injection on ticket update (CVE-2021-21314)
- [security] Stored XSS on documents (CVE-2021-21312)
- [security] XSS on tabs (CVE-2021-21313)
- [security] Stored XSS in budget type (CVE-2021-21325)
- [security] Unsafe Reflection in
getItemForItemtype()
(CVE-2021-21327) - [security] Insecure Direct Object Reference (IDOR) on "Solutions" (CVE-2021-21324)
- Handle RFC5987 format in Content-Disposition header
- Fix email attachement decoding logic
- Fix tickets ID fetching from email headers
- Fix graph counts
- Add search filter criteria for widget by year
- New filter ‘my groups’
- Populate meta criteria in a generic way
- Make custom css from entity inheritables
- and more!
See changelog for details.