Fixed Bugs

• In the HTML editor, some images copied from external sources were not recognized as attachments and generated a very large text.

• If the product login is activated and users log in with the user name and password stored there, they can have a reset link sent to them in case they have forgotten their password. To do this, the user must have entered an e-mail address and e-mail dispatch must be configured on the server.

Fixed Bugs

• Some HTML editor actions in dialogs could not be used in Firefox browser.

Security Fixes

• Security Update for CVE-2023-45818
  • TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation. Users are advised to upgrade. There are no known workarounds for this vulnerability.
• Security Update for CVE-2023-48219
  • TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

• Added magnifying glass icon in the search bar to increase the visibility of the search function.
• In the company info dialog of the configuration, it is possible to set to whom the installation hint for the application as a PWA is displayed. Guests and other special user accounts never get the hint displayed.

• The search bar has been updated to use CodeMirror for better overall keyboard support

Security Fixes

• Upgraded library momentjs to version 2.29.4 due to CVE-2022-24785 and CVE-2022-31129
• Upgraded library tinymce to version 5.10.2 to include latest bugfixes

• Optimization of the connection recovery from the browser to the server

• Moved file service check to temp folder instead of working directory

Fixed Bugs

• Fixed data buffer length for ajax and websocket requests
• Corrected timeout handling for websocket connections with broken VPN connections