General vulnerabilities ▪The addition of arbitrary PHP files, sent via upload to the temporary file application folder as valid system files, has been blocked. In other words, a Local File Inclusion vulnerability that could lead to Remote Code Execution of other PHP codes has been fixed. ▪"CSV Formula Injection" vulnerability fixed when exporting view screens to Excel. ▪Improvements based on good safety practices (security through obscurity) ▪Source map removed from Javascript codes, which facilitated the understanding of the application frontend logic. ▪The JavaScript code was hidden on the login screen to hinder the understanding of the frontend logic on this screen, as it is public (able to be accessed by unauthenticated users) and it has sensitive logic, such as that for password recovery. ▪JavaScript functions that exposed the name of backend technologies have been renamed to hinder the discovery of which technology is used in the application and which resources use a certain technology. |
On some screens, the text on disabled fields had an inadequate gray shade, as it provided low contrast and made it harder for users to read the content.
From this version onwards, the color has been changed to a darker shade, increasing contrast and readability of the text in disabled fields.
The new "Request user countersign when performing critical operations in the system" parameter was created in version 2.1.3 to replace the old parameter, which only required the countersign confirmation to open the task screen, but both options continued existing since, so that there was enough time to adapt to the migration between options.
After the adaptation time, the objective now is to make the old option obsolete, so, from this version onwards, it will only remain available in the environments in which it is already enabled. Otherwise, only the new option will be displayed, and it will no longer be possible to enable the old option.
In the near future, the old option will be completely discontinued and it will no longer work, so it is recommended for those who still use it to plan the migration to the new option created in version 2.1.3.
Due to security matters, some users with generic logins and with reserved words were disabled and are blocked from being enabled.
In previous versions, the creation of those users had already been blocked. Examples of blocked users: softexpert, sesuite.
▪Oracle 12 (all versions): 2.1.9 - October 2022
▪Windows Server 2008 R2: 2.1.10 - December 2022
▪Windows Server 2012 (all versions): April 2023
▪SQL Server 2012 (all versions): April 2023
View also the improvements made to this component in previous versions: