• The version 23.10 is the last version that supports:
  • Java 11
  • Jakarta EE 8 application server
  • Servlet Specification 3.1
  • WebSocket 1.1

General

The CoWork messaging gained many advanced features, such as emoji reactions, Markdown table support and improved attachment previews.

Changes

• Users can react to messages with emojis. The last five emojis are quickly accessible via the context menu.
• The action "CoWork Online Status" of the Task Planner allows to change the status of the user by e.g. time triggers or CoWork commands.
• Text files attached to messages get a preview with the first 10 lines. This can be expanded further to show up to 50KB of the file.
• When pasting text into a new message, it will be added as an attachment if it is more than 4000 characters or 40 lines long.
• Using the context menu, individual attachments of a message can be removed.
• Horizontal lines and Markdown tables can be used in message texts.
• The WebAPI returns reactions on messages and allows to toggle reactions for a logged in user.
• The WebAPI returns an "Access Forbidden 403" status instead of "Access Denied 401" when a logged-in user does not have access to a team or channel.
• The WebAPI allows to search for messages using the same syntax as the CoWork application.

• In the user settings, it can be enabled that the own status displays a phone icon on the user's avatar when the user is involved in a call in any channel.

• New Clear Reports formula function "gpt" which takes any string query as a parameter and returns the GPT response.
• Added obfuscation to storage of OpenAI API Key in configuration.
• HelpDesk spam filter capability (off by default) which can check incoming emails for whether GPT would categorize them as spam.
• Anonymization of any telephone numbers and email addresses to avoid sending personally identifiable data to OpenAI.

• Added obfuscation to storage of DeepL API Key in configuration.

• The new Web Server Errors panel displays a graph of request errors logged by the server. All web server responses with a status code of 400 or higher are logged and displayed aggregated per day.
• In the logging panel, the list of selectable threads has been reverse sorted. The log file can thus be filtered to the last up to 100 threads.

Fixed Bugs

• Condition for free disk space returned the wrong boolean value.

• Added placeholders to the HTTP trigger, that are filled by sending multiple optional "parameter" queries. that means, that you can extend the HTTP trigger URL with ?parameter=abc&parameter=def... to fill the placeholders.

• Added an advanced configuration property to determine which server name is being used for the EHLO mail command. When using a private network server alongside a public mail server, it may be necessary to provide a publicly determinable server name in order to avoid higher spam score values or potential rejection of emails by the mail server.

• Backups can be selected from the server, e.g. when they can not be uploaded in the web interface due to their size (>2GB).

• For Google and Microsoft Azure login the settings from the plugin oauth.connection can be used.

Security Fixes

• Security Update for CVE-2023-45818
  • TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation. Users are advised to upgrade. There are no known workarounds for this vulnerability.
• Security Update for CVE-2023-48219
  • TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

• The store now shows a link to the full changelog and migration information history in the plugin details.
• In the plugin changelog history you can select a specific version to jump to that section.
• In the help, when opening the release information page, there is now a dropdown to select a version from which, up until the current one, the release changes are displayed.

Security Fixes

• Plugin sideload is disabled if permissions are not restricted in the system.

General

• This version marks an LTS release, the last in which Java 11 is supported.
• The bundled Eclipse Temurin was updated to version 17.0.9.

Changes

• When searching "Date field:<date", the day of the date is no longer included in the search result.
• Added DynamoDB persistence property TablePrefix.
• All web server responses with a status code of 400 or higher are stored in an additional event log. They can be checked with the statistics and diagnostics plugins.
• The order of authentication providers without settings can be changed in the Configuration Manager.
• Added security.txt configuration option. The content of this option will be sent to clients requesting the /.well-known/security.txt file.
• The guest account no longer has administrative permissions for security reasons, even if there are no restrictions on permissions (systempermission.enabled=false). Administrative permissions of the guest account must be explicitly activated if required (guest.full.permissions=true).

Security Fixes

• Security Update for CVE-2023-35116
  • An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
• Security Update for CVE-2018-1002208
  • SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
• Security Update for CVE-2021-32840
  • SharpZipLib is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.
• Security Update for CVE-2023-5072
  • Denial of Service in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
• Security Update for CVE-2023-44487
  • The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
• Security Update for CVE-2023-22102
  • Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
• Security Update for CVE-2023-34062
  • In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.
  • Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.

Fixed Bugs

• When accessing the server using HMAC token authentication, the system failed to log the user token's last access time.

• 2FA emails are now sent to all stored email addresses of the user and not only to the first address.

• Added additional permission to read information from the Users and Groups Manager using the WebAPI. This allows read-only restricted access to search for users and return minimal information about them.

• Added option the security section of the webserver configuration to control embedding the application usingX-Frame-Options.