Version 23.4

• For higher accuracy, the tolerance for images and lines in the 'Verify Identitiy' comparison profile was reduced from 1 to 0.01. This still compensates rounding errors but may cause additional differences. In case you're using this profile, consider creating a copy with tolerances set back to 1 in case of unintended differences.

Version 22.10

• Published comparison profiles will automatically be migrated to be published for the user group 'All Users'

Version 24.4

• The Repository has been deprecated and is replaced by the all-new Drive.

Version 21.10

• Any webhooks found in existing Task Planner Discord actions will be added to the central Discord Incoming Webhooks list in the configuration.

Version 24.4

• Custom field of type "Selectable Values" with both options "Own Value" and "Multiple Values" activated are migrated to the option "Own Value". A combination of both options is not possible anymore.

Version 24.4
The HTMLEngine is a core component of all our products. As such, it must be included in the plugins directory at all times; otherwise, the server will not start.

Version 22.4

Backups

Backups for MeetUp that were previously configured and used in maintenance are no longer compatible. CoWork must be activated again in the configured backup.

It is recommended to create fresh backups before and after each update.

Version 24.4

• The Java Viewer Applet has been removed. In modern browsers, Java Applets have been unavailable for some time now. You can still use the Java Viewer in API mode.
• The ReportServletJSP has been removed. It was used as an entry point for *.jsp files that allowed to instantiate report engines and control Java Viewer Applet HTML output.
• The Drive will replace the previous Report Repository as the central storage solution.

Version 23.10

• The deprecated datasource property driverLibrary has been removed. To use additional driver libraries, you must move them to the lib directory of the installation.

Version 24.4

• The minimum required Java version is Java 17.

Version 23.10

• The version 23.10 is the last version that supports:
  • Java 11
  • Jakarta EE 8 application server
  • Servlet Specification 3.1
  • WebSocket 1.1

Version 23.4

• The Docker Containers have been updated to run with a restricted user instead of the root users.
  • The new restricted users id and group id are 1000.
  • Host mounted volumes have to be updated to reflect the new user and group id manually.
  • Host mounted volumes mount points of the users home directory have to be updated from /root to /home/<username>. The <username> is determined using the whois command in the container
  • Additional information is available from our FAQ: https://faq.inetsoftware.de/t/upgrading-to-user-restricted-docker-container/277

Version 22.10

• The Allowed Cross Origins option is renamed to Allowed Origins and performs additional checks on the server side when configured.
  • The external visible URL is also sent as allowed origin using the CORS header
  • Connections to the server (either HTTPs or WSs) are also checked against the list of allowed origins and the external visible URL

Version 23.10

• Added comparison of meta data in images.
• Control elements are now compared as type 'text' instead of 'lines and shapes'.

Fixed Bugs

• Annotation elements with no visual appearance like a 'popup' are now ignored by filters
• Unicode 'combining characters' are now excluded from the white space detection. This improves the white space detection in e.g. Hebrew text which heavly relies on combined characters.
• Negative text overhang is recognized and will update the location of the affected text chunk. This solves incorrect word bounds and white spaces.

Version 23.4

• A new option is available to combine large text differences. This feature drastically reduces the unintended matches in large changes.
• PDF Annotations which relate to some text, like strikethrough or link click areas, are now recognized as a property of the text instead of independent objects. As a result the comparison is much more accurate an can handle line breaks in such annotations.
• For higher accuracy, the pixel tolerances in the "Verify Identitiy" comparison profile were reduced from 1 to 0.01.
• The accuracy of the side-by-side page synchronization (export and GUI) was improved for pages with little to no differences.

Version 22.10

• PDF and PNG exports can now be configured to automatically select an output page size that exactly fits to the displayed content or pages. This reduces the blank space on exported pages and is the best option to view the PDFs/PNGs on screen devices.
• Support for the hyperlink annotation is added to the document comparison.

• Public profiles are restored correctly during backup.
• Subscript and Superscript are now correctly detected in any line of text.

Version 22.4

• New option for any type of PDF export to not replace external font references by default fonts. This keeps the export more alike similar to the original files even though font references are discoured for PDF.
• Modified handling of overlapping text chunks: Fonts without space character will tolerate larger overlaps without splitting the chunk. Leading spaces will be ignored on overlap.
• Added strong named assemblies for i-net PDFC .Net Bridge to the SDK

Version 21.10

• Tesseract plugins on Windows have been combined into one plugin
• Batch comparison added to the .NET API
• PDFCNunit: Support for multiple .Net Frameworks added
• Whitespace calculation for small fonts improved
• Footer position corrected in case the header is missing.
• A font difference will now be detected in case the design font name is the same, but the actually used font differs due to a missing embedded font
• JPEG2000 images will be added with original JPEG2000 data to the PDF export
• The internal filter SOLVEFALSEREPLACE is now active even for legacy profiles. The filter has been improved and drastically reduces false positives in drawings an shapes with slight position differences due to rounding errors
• It is now supported to compare annotations as well
• "Across then down" will be used alwaysif a multi column report will be exported into an endless page output format
• Performance optimization for high amount of graphic operations with blend mode
• Image serialization disparity in the swapping mechanism occurred. This could lead to rare image differences in high load scenarios
• NullPointerException occurred. To solve it we improved the handling of defective PDFs (missing PatternType parameter)
• Incorrect differences occurred due to a zero-width non-joining character
• A text with vertical font was not displayed and the position was wrong
• Glyph was missing in rendering due to an inconsistent font entry in the source PDF
• NullPointerExceptino occurred if the compared Docx files has no style information
• Line height calculation für inconsistent fonts was incorrect
• Text in Courier New font not being displayed in comparison result
• Some parenthesis not displayed in comparison result because of index bug in font generation which leads to missing characters
• Line height calculation was wrong for inconsistent fonts
• Wrong difference details reported: Text in two table columns was moved to the same X,Y position
• Rendering issues occurred for PDF file where the graphics states are not properly closed
• Fixed incorrect white space detection in case the same font is embedded multiple times in a PDF file
• ParserConfigPlugin extended for an option to deactivate the cmap from PDF files because a difference was not detected

• The comparison was aborted because of an "Index out of bounds" exception that occurred in case of a style change (e.g. font face) in words with decomposable Unicode characters.

Version 23.10

• The table filter has several improvements
  • Differences in Rowspan and Colspan are detected
  • Background colors of cells are recognized and can cause style differences
  • Table layouts with alternating row styles where each even row has now border and background can be recognized as one table
  • The filter for header and footer views tables as monolithic elements which cannot be cut by a header or footer

Version 21.10

• Improved filter model so that other filters (e.g. regular expression filter) can now operate on the contents of table cells as well

Version 23.4

• New option for batch jobs to choose how to proceed in case of invalid documents.

Version 23.10

• Users without the permission to run and modify comparisons will no longer see who shared a comparison.
• Deviation tolerances in the profiles dialog are displayed with their percentage and can be translated into the actual profile values.

Version 23.4

• Keyboard shortcuts for common actions
• The keyboard shortcut for 'paste' is now supported and will upload the pasted files as documents for the comparison.
• The current content of the system clipboard can be used as document for the comparison as long as it's plain text or image via a button. Access to the system clipboard has to be permitted in the browser for this feature to be available.
• As an alternative to uploading, documents can be selected directly from the i-net Drive for the comparison.

Fixed Bugs

• Cumulative rounding errors led to small deviations in the scroll synchronization and text search mark-up.
• Cycling through text search results will now go through the results in scroll order in any case.

Version 22.10

• Comparison profiles can be published for certain users or groups.
  • Requires the publishing user to have permissions for the users and groups administration.
  • Published profiles can be unpublished or modified by the owner or any member of the administrators group.
• Full text search for the compared documents is now available.
• Comments (annotations with text) will be shown as popup. The popup will show the comment text and author as well as the review/edit steps.
• Comparison profiles will be validated and warnings will be shown in the edit dialog for any incorrect property key or value.

Version 21.10

• Cannot read properties of undefined (reading 'element') error

Version 23.4

Fixed Bugs

• The activated visibility option "Only pages with differences" was not applied directly when a new comparison was made in the desktop application

Version 22.10

• Setting correct Area Filter properties
• Filechooser dialog is now modal

Version 23.10

• JUnit5 support is available for the PdfcAssert class.

Version 23.4

• The result parameter exportbydiff was changed to exportifdiff

Version 23.4

• Area filter is now also applied to detail comparison in images.

Version 23.10

• Detecting alternating headers and footers in a book print now requires at least 5 pages instead of 3.

Fixed Bugs

• Auto-detection will try to avoid cutting rectangular shapes that could be a text box or table border

Version 23.4

• The calculation of the size of the footer on the first page was inconsistent.

Version 22.10

• The calculation of the size of the footer on the first page was inconsistent.

Version 22.4

• The calculation of the size of the footer on the first page was inconsistent.

Version 21.10

• The calculation of the size of the footer on the first page was inconsistent.

Version 23.10

• The application language can be configured.
• On macOS the system menu of the Standalone i-net PDFC application contains PDFC specific menu items, e.g. for profile selection.
• Added keyboard shortcut Cmd+, to open settings.

Fixed Bugs

• Opening the application with multiple files to compare on Linux operating systems.
• Exits the program as soon as the main window is closed.
• Terminates the program after 5 minutes if the background process cannot be reached.

Version 23.10

• Editable profiles can be renamed using the actions in the profile dialog.

Fixed Bugs

• The synchronization of cloud nodes waits for the background serialization of the comparison result before allowing exports on other nodes. This prevents corrupted or empty results when switch nodes. It also prevents a restart of the comparison on another node up until the comparison was saved.

Version 22.10

• The per-user quota values are stored in a different format to support very large amounts of stored comparison per user.

• The cleanup of abandoned comparisons no longer keeps all of the named comparisons of a user alive. This caused memory issues in high load scenarios.

Version 22.4

• Extended publish feature to make the comparison visible for permitted users.

Version 21.10

• The i-net PDFC server stores uploaded files encrypted on the server
• Set a custom product title for external representation
• The RPC client no longer receives page images if this feature is disabled in the comparison profile

• Group "Comparison" was missing in the i-net PDFC Server configuration
• Hidden differences in graphical presentations occurred due to a merge of difference markers
• Problems with CosmosDB persistence occurred
• Following error occurred with enabled OCR comparison: A faulty tesseract configuration. Check the path to tesseract
• Critical error in PDF export occurred with multiple layer

Version 22.10

• Added support for comparing tif/tiff and JPEG2000 image files. To compare JPEG2000 images, the corresponding plugin must be enabled.

Version 22.4

• A search bar was added to comparisons view. It allows a more refined search with multiple parameters. This results in better search results.

Version 22.10

Fixed Bugs

• All differences were all merged to the first page despite the page they were originally on.

Version 22.10

Fixed Bugs

• Fixed: Columns not detected due to a line that separated the footer from the content

Version 21.10

• Rotated text is not compared when using the multi column filter

Version 23.10

Fixed Bugs

• An incorrect setting no longer blocks the configuration dialog
• Quotation marks may no longer be used in the configuration path.

Version 22.4

• Updated the tess4j lib to tesseract 5.1.0.

Version 21.10

• Unnecessary dependencies removed
• Update the tess4j version to 4.6.0

Version 23.10

Fixed Bugs

• Reduced redundancy when handling clips. This reduces the CPU and memory requirements for documents with very complex clip shapes.
• Re-use and caching of 'Mask'-images in composite paint operations. This prevents OutOfMemory errors and reduces the storage size of comparisons.
• Bidirectional or right-to-left text is now correctly mapped to it's originating page instead of page 1.

Version 22.10

• Changed decoding of 'WindAnsiEncoding' to exclude control characters like line feed.

Version 22.4

• It is now optional to replace external font references by PDF native fonts. The replacement will cause a consistent result for any PDF viewer but may cause rendering artifacts.

• PDF SetColor commands with only one parameter will now set a grey scale color instead of being skipped

Version 21.10

• Not embedded fonts which refer to external system fonts will no longer be replaced by PDF-native fonts. This avoids artifacts like overlapping words in a potential PDF export of the result.

• Fixed white space issue when converting ligatures to distinct characters
• 'Alternative algorithm' for unmapped glyphes according to PDF specification implemented. This may improve the comparison result and render quality for incomplete embedded Type0 fonts.

Version 23.10

• New Clear Reports formula function "gpt" which takes any string query as a parameter and returns the GPT response.
• Added obfuscation to storage of OpenAI API Key in configuration.
• HelpDesk spam filter capability (off by default) which can check incoming emails for whether GPT would categorize them as spam.
• Anonymization of any telephone numbers and email addresses to avoid sending personally identifiable data to OpenAI.

Version 24.4

Fixed Bugs

• Setting up a calendar Task Planner trigger on repeating events that began in the past did not correctly compute the next execution time.

Version 23.4

• Triggers can be set to start after events as opposed to only before them.
• The calendar trigger automatically refreshes its events from the given calendar every 30 seconds.

• Next task execution times filter out past potential execution times.

Version 22.10

• There is a new calendar trigger that allows running Task Planner task with a time offset when an event occurs in the given ics or iCal file.

Version 22.10

Fixed Bugs

• Improved the Server Status Command in regards to its CPU load calculation when the server is running on Windows.

Version 22.4

• Added a new command serverstatus which displays server information such as version, CPU load, memory usage, and more.

Version 24.4

• The area of an active call can be opened in a new window if this function is supported by the browser. This window can be freely positioned and resized.
• During a call, the own participant and those with a video (camera or screen sharing) have a context menu (to be called up with the right mouse button) to control actions. This applies, for example, to switching the camera or microphone on and off. For participants with a video stream, this can be pulled out as an overlay in supported browsers. This overlay can be freely positioned and resized.

Version 23.10

• In the user settings, it can be enabled that the own status displays a phone icon on the user's avatar when the user is involved in a call in any channel.

Version 23.4

• In the configuration you can set whether the audio and video connections are allowed to go through the public client connections or only through configured TURN servers.

Fixed Bugs

• The CoWork Calls WebAPI ignored the preview mode option that prevents accidental execution of destructive operations.

Version 22.10

• Improved the automatic reconnection of calls
• Added option to set TURN servers which are responsible for negotiating audio and video call connections
• The overlay of a call from another channel can now be moved to another corner of the window
• Audio output improved when switching channels: no more interruptions
• Sounds are played when another participant joins or leaves a call or raises the hand (configurable)
• Optionally, the entering or leaving of a participant in a call can be announced by voice ( configurable)
• Audio and video calls are automatically reconnected when the connection to the server is restored, or the page is reloaded by mistake
• In the channel list, the participants of a call are now listed below the channel
• The caller view and the call overlay have been further optimized
• The available reactions within a call can now be defined in the configuration. If all emojis are removed, this feature will also be disabled
• Layout improvements for calls in the Safari browser

• Speech recognition when switching with a call to another channel

Version 22.4

• Added support for voice and video calls
• Allow screen share of multiple screens without participating in a voice call
• Added support for muting and leaving calls using the WebAPI

Version 23.4

• The details like name, description and icon of meeting rooms can be changed by authorized users.
• Users with the "Create Meeting Rooms" permission can add additional members to a room via the member list.

Version 22.10

• With CoWork meeting rooms, temporary channels can be set up and external users can be invited. Many use cases such as external support, product demonstrations and the creation of temporary workgroups are possible.

Version 23.10

• Added obfuscation to storage of DeepL API Key in configuration.

Version 23.10

• The new Web Server Errors panel displays a graph of request errors logged by the server. All web server responses with a status code of 400 or higher are logged and displayed aggregated per day.
• In the logging panel, the list of selectable threads has been reverse sorted. The log file can thus be filtered to the last up to 100 threads.

Fixed Bugs

• Condition for free disk space returned the wrong boolean value.

Version 23.4

• Condition for free disk space returned the wrong boolean value.

Version 22.10

• Added support for a memory dump when running with an OpenJ9 Java VM.

• Condition for free disk space returned the wrong boolean value.

Version 21.10

• Condition for free disk space returned the wrong boolean value.

Version 22.4

Fixed Bugs

• Fixed possible error message "accountID must not be null" in Discord configuration.

Version 21.10

• Discord plugin in category "Task Planner" will be replaced by general Discord plugin. You can find it in Plugin Store category "Communication". If the old plugin was activated, the new one will be installed automatically by the setup

Version 23.4

• Added separate backup and restore option for Embedded Websites.

Version 23.4

• File results of a Task Planner task are optionally sent as an attachment with the CoWork message.

Fixed Bugs

• Added a helpful link instead of an error message in the task planner dialog in case an external server hadn't been set yet.

Version 24.4

• Dropped option "Own Value" + "Multiple Values" for custom fields of type "Selectable Values", only one of both is allowed.

Version 22.10

• Added new Data Type "Date with Time" and "Time"
• Added option "Ignore timezone" for "Date" and "Date with Time" in order to work with local dates
• Label and description of predefined and user-defined fields can be translated into multiple languages via the Field Settings dialog
• Added task in maintenance which will backup all user field settings with translations and custom fields.

Version 22.10

Fixed Bugs

• When using a relative target directory with multiple file results, the target directory was not reset. This resulted in the same directory structure being created for each additional file result within the previous one.

Version 22.4

• When using a relative target directory with multiple file results, the target directory was not reset. This resulted in the same directory structure being created for each additional file result within the previous one.

Version 24.4

• In the diagnostic application, in the System Dumps section, there is a new option to export the SBOM in JSON format.

Version 23.4

• Support for generating a Software-Bill-of-Materials JSON file using the server's ./well-known/sbom URL with an administrative user account.

Fixed Bugs

• Release Notes were not displayed in the HelpCenter.

Version 22.10

• Links that require another plugin to be enabled open the Plugins Store where the required plugin can be activated or loaded.

Version 21.10

• PDF export was not possible from a help page accessed through an untrusted HTTP URL in the browser.

Version 24.4

• Initial Release of the JWebEngine as a plugin.

Version 23.10

• Added placeholders to the HTTP trigger, that are filled by sending multiple optional "parameter" queries. that means, that you can extend the HTTP trigger URL with ?parameter=abc&parameter=def... to fill the placeholders.

Version 23.4

• Added text area field for POST and PUT methods to allow directly sending JSON data with the request

Version 22.10

Fixed Bugs

• Fixed access to trigger when set to be available for everyone

Version 22.4

• Added option to add header entries to HTTP action

Version 24.4

• If i-net CoWork runs within an i-net HelpDesk installation, a new ticket with the content of the message can be created with a menu entry at a message.
• In the Google Chrome browser, the system's idle detection can be activated in the settings. The "Your device use" permission must then be granted in order to use the detection.

Version 23.10

• Users can react to messages with emojis. The last five emojis are quickly accessible via the context menu.
• The action "CoWork Online Status" of the Task Planner allows to change the status of the user by e.g. time triggers or CoWork commands.
• Text files attached to messages get a preview with the first 10 lines. This can be expanded further to show up to 50KB of the file.
• When pasting text into a new message, it will be added as an attachment if it is more than 4000 characters or 40 lines long.
• Using the context menu, individual attachments of a message can be removed.
• Horizontal lines and Markdown tables can be used in message texts.
• The WebAPI returns reactions on messages and allows to toggle reactions for a logged in user.
• The WebAPI returns an "Access Forbidden 403" status instead of "Access Denied 401" when a logged-in user does not have access to a team or channel.
• The WebAPI allows to search for messages using the same syntax as the CoWork application.

Version 23.4

• Scrolling of the messages improved
• The user's online status is displayed at the messages and at the suggestions for mentions. Displaying the status on the individual messages can be deactivated in the settings.
• In the menu of a message the user and the time of the message are shown.
• It is possible to reply to messages. The user of the quoted message is automatically mentioned and gets a notification about the reply.
• Messages, channels and users for direct messages can be found via the global search bar
• Management of members of teams and channels has been changed:
  • Formerly public channels (with no members specified) now have the "All Users" group as a member by default.
  • Teams and channels without members are no longer accessible to all users, now they can be accessed by no one
  • Channels can now be explicitly set to inherit members from the team. Alternatively, a custom selection can be made.
  • Groups no longer need to have CoWork permission explicitly set to be set for memberships. All groups are selectable.
• Channels support uploading of custom icons
• Videos will be played inline in the channel.
• The color markers used to highlight new messages in channels can be set as follows: mentions only, all messages or completely disabled.
• Using the "Copy Text" action in the context menu, the selected text or the entire text of a message can be copied.
• In the "Emoji" dialog of the configuration interface, custom emoji can be added via SVG.
• An extra page with details of logged-in users and created messages has been added for the diagnostic application. Other CoWork plugins can add additional information.
• Automatic playback of gif animations and videos can be customized in the settings.
• Links to web pages in messages additionally generate a preview with title, description and image if the web page contains appropriate Open Graph or Twitter metatags.

Version 22.10

• Added support for the creation of temporary meeting rooms.
• Added support for emoji
• Integrated idle detection with a configurable delay. Will switch from online to away when absent
• A marker is now displayed to indicate new messages
• CoWork reconnects to the server without reloading the whole page
• The Task Planner trigger "CoWork Command" is able to split the parameters into single values to be referenced via placeholder in jobs and actions
• Drafts are saved per channel and also synchronize across multiple devices
• Links in messages can be copied via a click in the context menu
• Smaller thumbnails are generated for images. Attachments are cached in the client for up to 30 days.
• Improved focus handling for touch devices

Version 22.4

• Added link to the bottom of the message list to jump to the latest message with one click
• Changed markdown editor to better support major browsers
• Added Task Planner trigger to add CoWork commands that will execute a Task Planner task
• Added Task Planner action to send a message in a specific channel
• Redesign of members list in channel
• Images can now be opened with a click as larger preview
• Added badge to the task bar entry when there are unread messages

Version 22.4

Security Fixes

• Library update to fix CVE-2021-23792.

Version 24.4

• PGP support added including the ability to use private keys with passphrases. Incoming encrypted emails can be decrypted using the private key, and outgoing emails to addresses whose public keys we have are encrypted. Public keys included in incoming emails are automatically imported.

Version 23.10

• Added an advanced configuration property to determine which server name is being used for the EHLO mail command. When using a private network server alongside a public mail server, it may be necessary to provide a publicly determinable server name in order to avoid higher spam score values or potential rejection of emails by the mail server.

Version 23.4

• Support for S/MIME signature and encryption of email messages

Version 23.10

• Backups can be selected from the server, e.g. when they can not be uploaded in the web interface due to their size (>2GB).

Version 22.10

• When changing data of multiple users at once, custom user fields which accept multiple values can now be set to multiple values instead of only one as before.
• The User Accounts section of the Maintenance application allows to deactivate multiple users at the same time.

Fixed Bugs

• Fixed a rare error that could occur when changing data of users on custom user fields whose keys were purely numbers.

Version 22.4

• The User Accounts section of Maintenance allows to set user data for multiple users at the same time. This can be helpful for when entire departments or groups of users have changed addresses or other information.

Version 21.10

• Problems with backup of large files from a database persistence (MongoDB, AzureCosmosDB) occurred

Version 23.4

Fixed Bugs

• Simple line breaks were incorrectly displayed in the browser version of MS Teams.

Version 22.10

• Improved the configuration page to link to the store if the token authentication plugin needs to be installed.

• The task planner template "Microsoft Teams" would incorrectly insert the server's URL if it did not end on a slash.

Version 22.10

• The default language for notifications created in the Configuration application is English. When opening and saving existing notifications, an automatic update of the default language is made in this dialog.
• Notifications sent to the operating system require interaction from now on if the notification is critical. This feature is available only if it is supported by the browser and the operating system.

Version 22.4

• Added support for Web-Push notifications. A hint is displayed when the browser requests permission to show the notifications.

Version 21.10

Fixed Bugs

• Permanent notifications must be kept in the notification center, even though they are displayed by the operating system

Version 24.4

• Added Sing in with Apple as authentication provider. Note: you have to be enrolled in the Apple Developer Program to set up the authentication connection.

Version 23.10

• For Google and Microsoft Azure login the settings from the plugin oauth.connection can be used.

Version 23.4

• Also imports the avatar for new users when they log in to Azure.
• Also adds a system login for Azure and ADFS users so that users can be merged with a possible LDAP import.

Fixed Bugs

• When logging in a new OAuth user, the metadata, such as email, last name, first name, and avatar were not applied. The user was displayed only with the ID, instead of a display name.

Version 22.10

• When logging in a new OAuth user, the metadata, such as email, last name, first name, and avatar were not applied. The user was displayed only with the ID, instead of a display name.

Version 22.4

• Added optional tenant for Microsoft Azure authentication.

Version 22.4

• Added support for OAuth 2.0 authentication for emails for Office 365 (modern authentication) and Gmail.

Version 24.4

• Initial Release of the PDF Viewer. The viewer can be used as a rendering format, much alike the HTML Viewer.
• The viewer is called using init=pdfviewer when requesting a report. It will only be useful in an online browser when rendering reports.
• The viewer takes care of loading the requested report, as well as handling prompt request.
• It should be noted, that the viewer will display reports only when they have finished rendering. The state of loading the PDF is provided from the viewer.
• PDFs displayed in the viewer can be saved and printed, if natively supported by your modern browser.
• Using a prompt on refresh option you can modify the prompt input when reloading a report using the menu.
• Report files with group information will render an outline on the left side. You can select an outline entry to jump to the page and section - which is highlighted. Clicking the entry again removes the highlight from the document.
• A separate text search is not provided by the viewer, since the browser has a much more powerful search. However, you can select and copy highlighted text from the document.

Version 24.4

• If the product login is activated and users log in with the user name and password stored there, they can have a reset link sent to them in case they have forgotten their password. To do this, the user must have entered an e-mail address and e-mail dispatch must be configured on the server.

Fixed Bugs

• Some HTML editor actions in dialogs could not be used in Firefox browser.

Version 23.10

• Fixed data buffer length for ajax and websocket requests
• Corrected timeout handling for websocket connections with broken VPN connections

Security Fixes

• Security Update for CVE-2023-45818
  • TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation. Users are advised to upgrade. There are no known workarounds for this vulnerability.
• Security Update for CVE-2023-48219
  • TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Version 23.4

• Added magnifying glass icon in the search bar to increase the visibility of the search function.
• In the company info dialog of the configuration, it is possible to set to whom the installation hint for the application as a PWA is displayed. Guests and other special user accounts never get the hint displayed.

Version 22.10

• The search bar has been updated to use CodeMirror for better overall keyboard support

• Upgraded library momentjs to version 2.29.4 due to CVE-2022-24785 and CVE-2022-31129
• Upgraded library tinymce to version 5.10.2 to include latest bugfixes

Version 22.4

• Optimization of the connection recovery from the browser to the server

Version 21.10

• Moved file service check to temp folder instead of working directory

Version 24.4

• The Crystal Reports 8.5 flag "Convert DateTime to Date" is no longer supported.
• The Zxing barcode JavaBean supports the code GS1-Data-Matrix.
• MariaDB Connector/J driver added.
• Removed Support for ReportServletJP
• The non-functioning export of JAR files, which also contained the Report Viewer, has been removed from the server.
• Added dynamic update of available report renderer formats that can be selected as default rendering formats in the configuration.
• New Java annotation '@DoNotOptimize' for user defined functions. This annotations prevents functions with constant parameters from beeing optimized and thus from beeing always called once. '@DoNotOptimize' should be used whenever a function manipulates data instead of just returning a value.

Fixed Bugs

• In HTML (advanced) text there were problems with display:inline-block which could lead to unexpected breaks when rendering.

Version 23.10

• Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.
• Merging parameters of stored procedures with the same name in different catalog/schema is prevented.
• The obsolete Datasource Property driverLibrary was removed.
• In the HTML Viewer, using the search now allows to find more than 50 entries. Once the user went through all the entries to 50, another set of 50 entries will be searched in the the report.
• The conversion "To SQL" in the database wizard now also supports "SQL expression fields" used in formula fields.

• Several configuration settings for the XLS output format were used only after a server restart.
• Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.
• The HTML Viewer modified the line spacing incorrectly to calculate font auto scaling options.
• The date and time data type detector accepts only years in the range 0 to 9999 as valid dates for JSON and XML data sources.
• Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.
• Wrong value for tag ConformanceLevel error occurred when the FacturX profile BASIC WL or EN 16931 was used.
• XML data sources duplicated content if the XML file contained a & encoded as &.
• Regression: It was not possible to open a report using file: key URL parameter, e.g. https://servername:port/file:/<path>/<reportfile>.rpt.
• When a subreport was moved to the next page to handle a 'keep-together' flag, lines and boxes across multiple sections within the subreports began at the top position.
• Performance of SQL generation with complex formulas for grouping and sorting improved.

• NULL values of the Show Value formula will be ignored now and not be rendered as 'NULL' string.
• Fixed various issues related to standard and custom number formatting in export format XLSX.
• Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer
• A stack overflow error was produced in the HTML Viewer when setting an incompatible default zoom and opening a subreport.
• Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.

Version 22.10

• The rendering output format Microsoft Word (*.docx) is now supported
• Improved image quality in PDF output format if it is not saved in JPEG or PNG format in the report template.
• The rendering output format JSON is now supported
• Rendering text as HTML-Advanced output does not embed images anymore, but downloads and references them. The HMTL-Viewer supports these images even for URLs referenced in the inlined css, e.g. for background images.
• Comments on MySQL table columns are no longer used as column alias.
• Improved performance of date/time parsing functions date/time and datetime in formula
• Continuous Stacked Bar Chart is now supported
• ShowValue can now display a value from a formula on simple chart types.
• Images in HTML-advanced fields are stored as separate files instead of inlined data when exporting to HTML
• Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.
• Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.
• MariaDB has been added to the supported data sources. It is necessary to add the driver MariaDB Connector/J.

• Section with enabled "Print at Bottom of Page" was not printed at the end of the page if HTML output format was used and the page before this section was empty.
• Sorting of fields did not work in HTML viewer
• Under certain circumstances, narrow blank table rows occurred in XLSX and ODS export when the report contained horizontal lines near other fields and they were not correctly rasterized.
• Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer
• A stack overflow error was produced in the HTML Viewer when setting an incompatible default zoom and opening a subreport.
• Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.
• Wrong value for tag ConformanceLevel error occurred when the FacturX profile BASIC WL or EN 16931 was used.
• When a subreport was moved to the next page to handle a 'keep-together' flag, lines and boxes across multiple sections within the subreports began at the top position.

Version 22.4

• Font replacement improved for 'HTML advanced' formatted text. The replacement works on character-level now, just like in other text types
• TotalPageCount is evaluatable in a trigger function
• Improvement of continuous charts
• added support for markers
• consider line style "None" to only show markers
• added support for combining of continuous charts with XY charts

• Fixed a NullPointerException printed to the console when logging is disabled

Version 21.10

• Word break was improved for a more natural text flow
• The alignment value of a field will now be applied in case of text interpretation 'HTML-advanced' as well
• New output format added: Email. It is a simple HTML format. A single file format that can be used as email body. It can be triggered with the URL parameter: init=email
• Formula function AddAttachment(String,Binary) added. It can be used to add embbedded files to PDF output format
• Support for WebP images and other image formats added. The plugin "ImageIO Extension" is required. It can be installed using the plugin store
• PDF export: Character replacing for embbeded fonts containing character which are in code blocks which are not in the code block list of the font
• Reuse of images when exporting an embedded PDF to PDF, reduces the overall file size
• Images in HTML content will no longer be down scaled for printing. This will result in a better resolution for images in exports (e.g. PDF) but may cause a larger file size
• Formula expression result added as placeholder in result actions. It can be used to return a single value from the report to the task planner which can then be used using the [report.formula] placeholder
• NoClassDefFoundError: Could not initialize class com.inet.cache.internal.MemoryObserver - occurred with OpenWebStart
• Set a custom product title for external representation
• Add WebAPI /api/reporting/report/render endpoint to render reports using Token Authentication
• Continuous Numeric Category Axis can now also be set to logarithmic
• Use the correct database row for inlined fields in crosstab labels such as the total labels
• Support for exporting CSV files larger 2 GB added (format csv and data)
• Add support for stored procedures for PostgreSQL
• Comments on MySQL table columns are no longer used as column alias.
• Support for the decimal separator of a user-defined number format in XLSX format
• Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.
• Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.

• Fixed the loss of datasources after a BackingStoreException in Preferences.sync()
• Fixed the gray background that occurred when printing from HTML viewer
• Fixed a NullPointerException printed to the console when logging is disabled
• Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer
• Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.
• When a subreport was moved to the next page to handle a 'keep-together' flag, lines and boxes across multiple sections within the subreports began at the top position.

Security Fixes

• The default value of the "Allow unknown Data Sources" setting (key permission.allowunknowndatasource) has been changed from "true" to "false".
• Security Update for CVE-2024-1597
  • pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

Version 23.4

• Added Markdown text interpretation in the CommonMark and i-net CoWork flavors.

Version 21.10

Fixed Bugs

• Fixes badly formatted cookies sent to the login script.

Version 24.4

• When execution of setup is required, it displays a banner for that in all applications.

Version 23.4

• When installing on a drive other than C:\ (Windows) then the program data directory can be changed during the setup.

Version 22.4

• Setup now works properly when updating a single or multiple plugins via the plugin store. Duplicate executions and confusing messages will be avoided.
• When updating the product-core plugin, Setup now updates all updateable plugins from the store.

Version 23.4

• The event log backup job can optionally include previously archived event entries when using a file persistence.

Version 21.10

• Date and time values now respect the client's time zone when displayed
• Memory for user and reports now store 20,000 entries as maximum to limit memory consumption

Version 24.4

• Up to 5 teasers are displayed at the top of the store, which are automatically rotated through.
• The description of plugins, as well as the changelog and migration information is added to the documentation in the help.
• Setup will no longer update plugins automatically when only a minor update of the core product (i.e. 22.4.120 to 22.4.198) was performed.

Version 23.10

• The store now shows a link to the full changelog and migration information history in the plugin details.
• In the plugin changelog history you can select a specific version to jump to that section.
• In the help, when opening the release information page, there is now a dropdown to select a version from which, up until the current one, the release changes are displayed.

Security Fixes

• Plugin sideload is disabled if permissions are not restricted in the system.

Version 22.4

• Allow navigating through screenshots with the cursor keys. Escape key will close the preview.

Version 21.10

• The plugin store is new and replaces the configuration of the plugins in the configuration
• New versions and features are requested from the public plugin store and can be installed
• On future updates, the setup will automatically update all activated plugins from the store

Version 24.4

• Added JSVG library to render SVG files, e.g. for report files.
• Added compatibility level option for previous version 23.10 that allows to switch back to the Batik SVG renderer.

Version 23.10

• Updated the internal Batik libraries to version 1.16.

Version 22.10

• Updated the internal Batik libraries to version 1.14.

Version 24.4

• The bundled Eclipse Temurin Java VM was updated to version 21.0.2.
• Added support for Java version 22

Fixed Bugs

• User search result entries will avoid displaying the same value in the top and bottom lines.

• Fixes broken Digist authentication with Chrome browser.

• Fixed a bug breaking the User Manager web interface if the country of the server is not valid.
• Fixed a bug with searching digits and number data types which has produce the error: IllegalArgumentException: Empty left and right operand in search condition
• Fixed a deadlock with OpenJ9 Java VM when starting the server via API.

• Fixed embedded fonts for .NET viewer (error message: Could not create font with ID 1).

Security Fixes

• Security Update for CVE-2024-30172
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Version 23.10

• When searching "Date field:<date", the day of the date is no longer included in the search result.
• Added DynamoDB persistence property TablePrefix.
• All web server responses with a status code of 400 or higher are stored in an additional event log. They can be checked with the statistics and diagnostics plugins.
• The order of authentication providers without settings can be changed in the Configuration Manager.
• Added security.txt configuration option. The content of this option will be sent to clients requesting the /.well-known/security.txt file.
• The guest account no longer has administrative permissions for security reasons, even if there are no restrictions on permissions (systempermission.enabled=false). Administrative permissions of the guest account must be explicitly activated if required (guest.full.permissions=true).
• Does not override the system property "javax.net.ssl.trustStoreType" if already set.

• Security Update for CVE-2023-35116
  • An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
• Security Update for CVE-2018-1002208
  • SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
• Security Update for CVE-2021-32840
  • SharpZipLib is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.
• Security Update for CVE-2023-5072
  • Denial of Service in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
• Security Update for CVE-2023-44487
  • The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
• Security Update for CVE-2023-22102
  • Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
• Security Update for CVE-2023-34062
  • In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.
  • Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.
• Security Update for CVE-2024-25710
  • Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
• Security Update for CVE-2024-22201
  • Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
• Security Update for CVE-2023-51775
  • The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
• Security Update for CVE-2024-30172
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Version 23.4

• Eventlog entries are also written in Recovery Manager.
• Configuration action in Login category added to reset authentication group members.

• Security Update for CVE-2022-36033
  • jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
• Security Update for CVE-2020-13946
  • In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
• Security Update for CVE-2022-42003
  • In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
• Security Update for CVE-2022-31684
  • Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
• Security Update for CVE-2022-41946
  • pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
• Security Update for CVE-2021-37533
  • Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
• Security Update for CVE-2022-23494
  • tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
• Security Update for CVE-2022-41915
  • Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop over the iterator of values.
• Security Update for CVE-2023-22551
  • The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.
• Security Update for CVE-2023-24998
  • Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
• Security Update for CVE-2022-45688
  • A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
• Security Update for CVE-2022-45688
  • Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
• Security Update for CVE-2024-30172
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Version 22.10

• Installer for macOS using Apple Silicon is available
• The bundled Eclipse Temurin Java VM is version 17.0.6
• Added support for DynamoDB persistence
• Added support for the HTTP header Forward (RFC 7329) for use with reverse proxies.
• Database Persistence accepts any configuration scope (USER or SYSTEM) and can also run as a non-root account.

• Added option to disable the "Stay logged in" feature for all users.
• Security Update for CVE-2020-36518
  • jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
• Security Update for CVE-2022-24823
  • Netty is an open-source, asynchronous event-driven network application framework. The package ''io.netty:netty-codec-http'' prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own ''java.io.tmpdir'' when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
• Security Update for CVE-2021-23792
  • The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
• Security Update for CVE-2022-21363
  • Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
• Security Update for CVE-2020-11023
  • In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
• Security Update for CVE-2022-2191
  • In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
• Security Update for CVE-2022-2047
  • In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
• Security Update for CVE-2022-31160
  • jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling ''.checkboxradio( "refresh" )'' on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the ''label'' in a ''span''.
• Security Update for CVE-2022-31197
  • PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the ''java.sql.ResultRow.refreshRow()'' method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. '';'', could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the ''ResultSet.refreshRow()'' method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the ''refreshRow()'' method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as ''42.2.26'' and ''42.4.1''. Users are advised to upgrade. There are no known workarounds for this issue.
• Security Update for CVE-2022-31129
  • moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
• Security Update for CVE-2022-36033
  • jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including ''javascript:'' URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default ''SafeList.preserveRelativeLinks'' option is enabled, HTML including ''javascript:'' URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable ''SafeList.preserveRelativeLinks'', which will rewrite input URLs as absolute URLs - ensure an appropriate [[https:*developer.mozilla.org/en-US/docs/Web/HTTP/CSP|Content Security Policy]] is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
• Security Update for CVE-2022-42003
  • In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
• Security Update for CVE-2022-31684
  • Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
• Security Update for CVE-2021-37533
  • Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
• Security Update for CVE-2022-23494
  • tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
• Security Update for CVE-2022-41915
  • Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator) call, into a remove() call, and call add() in a loop over the iterator of values.
• Security Update for CVE-2023-24998
  • Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Version 22.4

• The bundled AdoptOpenJDK 17 was updated to Eclipse Temurin Java VM 17.0.4.1.
• Two factor authentication supported.
• Prevent side load of plugins for wrong application version.
• It is now supported to use Web-Push notifications.
• MeetUp has grown up, is called i-net CoWork and is now also available as a separate product.

• Fixed a thread bug that allowed a user to run single requests in another users security context.
• Security Update for CVE-2021-37136
  • The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack.
• Security Update for CVE-2021-37137
  • The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
• Security Update for CVE-2020-21913
  • International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.
• Security Update for CVE-2021-4126
  • No information available.
• Security Update for CVE-2021-43797
  • Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
• Security Update for CVE-2021-41182
  • jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.
• Security Update for CVE-2021-41183
  • jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.
• Security Update for CVE-2021-41184
  • jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.
• Security Update for CVE-2020-36518
  • jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
• Security Update for CVE-2022-24785 and CVE-2022-31129
  • Upgraded library momentjs to version 2.29.4.

Version 21.10

• The bundled AdoptOpenJDK 11 was updated to version 11.0.15
• Java 17 supported
• Update of old versions is now limited. If you are using an unsupported old version, an update to an intermediate version is required
• It is allowed to create a Let's Encrypt certificate with a callback to the HTTPS port. Problems with redirect to HTTPS and if the server runs only on HTTPS are solved
• Added QR code to the error page, linking to a help page which may have further details
• Different ports, configured in the configuration Web Server dialog, use different HTTP sessions
• An error message occurred during setup if redirect to HTTPS is enabled
• The plugins dialog in the configuration of the server was replaced by the Plugin Store

• Fixed a thread bug that allowed a user to run single requests in another users security context.
• Security Update for CVE-2021-29425
  • In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like ''%%"//../foo", or "\..\foo"%%'', the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value
• Security Update for CVE-2021-28165
  • In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame
• Security Update for CVE-2021-28169
  • For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application
• Security Update for CVE-2021-34428
  • For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
• Security Update for CVE-2021-21409
  • Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final
• Security Update for CVE-2021-31812
  • In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions
• Security Update for CVE-2021-36090
  • When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package
• Security Update for CVE-2021-35517
  • When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package
• Security Update for CVE-2021-37714
  • jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes

Version 24.4

• The file system action has been converted into a completely new "Save file" action, which now supports the integration of other sources, such as the Drive plugin.
• The Move Ownership page in Maintenance now supports resetting the chosen settings on the page.

Version 23.4

• Adds the {initiator} placeholder to the server stop trigger, which contains the display name of the user who restarted the server.
• Tasks executed using the /api/taskplanner/execute endpoint are temporarily stored for the user, allowing them to access them later. If the tasks are not accessed again via the WebAPI within 60 seconds, they will be automatically removed.

Fixed Bugs

• In the task planner maintenance section, it was not possible to move tasks away from deactivated users.

Version 22.10

• The parallel execution of one and the same task is now in general allowed
• Manually starting a task while it is running is now possible
• PUBLIC-API: To distinguish between multiple executions the TaskEvent and HistoryEntry now contains executionID, a unique ID for the execution.
• PUBLIC-API: TaskPlanner's execute-method now return a CompletableFuture to allow more control over actions after the execution.
• PUBLIC-API: New method cancelTaskExecution(GUID,GUID,boolean) to cancel a single running execution of a task instead of all running executions.
• Added Low Memory Trigger to notify administrators of this critical situation.
• PUBLIC-API: TimeTriggerFactory's generic type is now Trigger as it can return different types of trigger: TimeTrigger and TimeTriggerForCustomSettings

• Fixed loading of large lists of tasks in the UI
• Fixed bug endlessly showing task as running with 0% or 100% progress although there was no execution.
• The license check of the Reporting Plus license for the Task Planning application was incorrect.
• The option custom in time triggers works correctly.

Version 22.4

• Placeholders are grouped if they start with the same prefix
• Added the option custom in time triggers.
• A maintenance module is provided for batch moving Task Planner tasks from one user to another.

• Fixed visibility of Task Planner triggers, jobs, and actions (based on a user's permissions) to be in sync with the visibility of help sections for these triggers, jobs, and actions.

Version 21.10

• Long running tasks were sometimes displayed as 'INCOMPLETE'
• Correction of identical file names in the file actions for multiple identical jobs with parameter placeholders in one task.

Version 24.4

• Adding 7 new themes

Version 23.4

Fixed Bugs

• Fixed spelling mistake in "Dark Forest" theme

Version 22.10

• Removed experimental Material Blue theme

Version 23.10

Fixed Bugs

• When accessing the server using HMAC token authentication, the system failed to log the user token's last access time.

Version 21.10

• Added Plugin "Token Authentication".
• Enables Web API access using access tokens. It allows users to create access token as another means of authentication into their account - but with restricted access scopes.
• Support added for HMAC token authentication like used from MS Teams

Version 24.4

• Two-factor authentication can be deactivated for certain server IP addresses.

Version 23.10

• 2FA emails are now sent to all stored email addresses of the user and not only to the first address.

Version 22.10

• A second factor can be made mandatory in the login settings of the server configuration. If there is no second factor set for a user, it is required to be set up after a fresh login.

Version 22.4

• Plugin added to support two factor authentication.

Version 24.4

• Before irrevocably deleting a user, an dynamic overview is shown of which types of data are connected to this user and will be gone if the deletion is performed.

Version 23.10

• Added additional permission to read information from the Users and Groups Manager using the WebAPI. This allows read-only restricted access to search for users and return minimal information about them.

Version 23.4

• Added Web API Extension for Users and Groups, that allows to search for either user or groups and display detail information about them.

Version 22.4

• Added apply button to the edit dialog of a user or group. This allows to save the changes without closing the edit dialog.
• The avatar of users can be changed in the users and groups application with a click on the avatar image of the selected user

Version 21.10

• Per URL parameter s search phrases can now be passed to Users and Groups in the web interface
• A new warning message appears when removing the last group member in a sub-group which will inherit memberships
• In the preview it is possible to switch the view to show inherit entries for permissions, allowed actions and resources
• Added a new label to allowed actions and permissions that tells if it is granted and if it is inherit

Version 22.10

• Opened up the WebAPI UI to be available for public requests, such as the Task Planners HTTP trigger, allowing to run the trigger from the browser.
• Added input field for the current URL, restricting editing to variable parts that require IDs
• Added JSON area to send custom JSON to a request URL
• Added selection for HTTP method and send key to re-submit the request
• Added ability to remember ID-token in the current web API session and automatically fill them until page is refreshed

Version 21.10

• Update of the permission handling to determine if a user has access to API endpoints

Version 23.10

• Added option the security section of the webserver configuration to control embedding the application using X-Frame-Options.

Version 23.4

Security Fixes

• Security Update for CVE-2023-44487
  • The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Version 22.10

• Added placeholders for start and expiration date of the HTTPS certificate that is currently being used. The placeholders can then be used in Task Planner actions.
• Changed Jetty server from version 9.4.x to 10.0.x.
• Added support for HTTP/2 protocol.
• Allowed Cross Origins is now called Allowed Origins

• If Allowed Origins is set, it will send CORS headers that also include the external visible URL.
  • The server now checks that it is addressed using any of the given values from either the external visible URL or the Alowed Origins
  • The server checks HTTP/s as well as WS/s connections

Version 22.4

• An optional web context of the web server can be set if the server should not run in the root context.

Version 24.4

• Support for the Negotiate authentication protocol has been added. This means that Kerberos login is supported.