Alf.io 2.0-M4-2402
Security Fixes
- CVE-2024-25635: IDOR Vulnerability: Allowing Organization Owner to view the other Organizations API KEY and USERS - reported by @rac-fckscty
- CVE-2024-25634: IDOR make user can read e-mail log sent by other events - reported by @lujiefsi
- CVE-2024-25628: User sessions are not properly terminated - reported by @lujiefsi
- CVE-2024-25627: Cross-Site Scripting (XSS) via File Upload - reported by @PinkDraconian
What's Changed
- Build published on Docker for arm64
- Fix spring-session <-> spring security integration + session removal on user deletion/disable by @syjer in #1214
- Google Wallet integration by @cbellone and @yanaga in #1215
- case insensitive qr code by @cbellone in #1218
- Payments list by @cbellone in #1240
- Configuration API by @cbellone in #1249
- Purchase context level config by @cbellone in #1251
- #1269 Resolved the bug to show correct {{eventName}} on compose message page by @ved-asole in #1275
- Manage additional service quantity by @cbellone in #1308
- unify access resource check in a service by @syjer in #1310
- Date of birth field + additional fields for subscriptions by @cbellone in #1312
New Contributors
- @ved-asole made their first contribution in #1275
- @yanaga made their first contribution in #1215
Full Changelog: 2.0-M4-2304...2.0-M4-2402