Alf.io 2.0-M4-2304
·
221 commits
to master
since this release
2.0-M4-2304
cbellone
Celestino Bellone
This tag was signed with the committer’s verified signature.
cbellone
Celestino Bellone
Alf.io 2.0-M4-2304 (2023-04-24)
Security fixes
- CVE-2023-2258 - CSV Injection (High Severity)
- CVE-2023-2259 - Admin Self-inflicted Server-side template injection (High Severity)
- CVE-2023-2260, reset password, disable users, update organization - Multiple IDOR vulnerabilities (High Severity)
please note that all security fixes are related to the Backoffice application. Some of them impact only multi-tenant deployments.
The "public" application was not impacted.
thanks to @huntr-helper contributors: @lujiefsi and @yelprofessor !
Improvements
- create Subscription reservation via API #1183 (sponsored by Eventplane)
- API to retrieve check-in log #1188 (sponsored by Eventplane)
- Refactor payment confirmation #1202 (sponsored by Eventplane)
- Resize images #1209 (sponsored by Eventplane)
- Preload Language #1192
- Custom VAT Application #1193
- Implement Reservation Export #1194
- Manage multiple sponsors scan #1205
Bug fixed
- Fix user admin check #1206
Contributors
lujiefsi, huntr-helper, and yelprofessor