{{sidenavigation.sidenavigationExpandLabel}}
{{getMsg('Help_YouAreHere')}}: {{page.title}} {{page.title}}
{{$root.getMsg("downLoadHelpAsPdf")}} {{helpModel.downloadHelpPdfDataStatus}}

Migration Information

Version 24.4

  • The Java Viewer Applet has been removed. In modern browsers, Java Applets have been unavailable for some time now. You can still use the Java Viewer in API mode.
  • The ReportServletJSP has been removed. It was used as an entry point for *.jsp files that allowed to instantiate report engines and control Java Viewer Applet HTML output.
  • The Drive will replace the previous Report Repository as the central storage solution.

Version 23.10

  • The deprecated datasource property driverLibrary has been removed. To use additional driver libraries, you must move them to the lib directory of the installation.

Version 21.4

WAR file for Oracle Weblogic

The initialization for WebSocketEndPoint to be registerable in Oracle Weblogic was changed in version 21.10. This fixed the error java.lang.IllegalStateException: Not in 'deploy' scope..

If you use an web.xml file of another WAR file you need to add the listener **com.inet.http.ExpandableServletContextListener**

Version 20.0

Changes in program structure

The internal structure has changed. That is why the new plugin reporting (file: plugins/reporting.zip) is now mandatory to start i-net Clear Reports. Due to this change the previous startup scripts are no longer valid and have to be changed.

In addition, the i-net Designers plugin remotedesigner.zip has been renamed to designer.zip.

If manual changes were made to the startup scripts, they have to be updated accordingly:

  • Report Server: the startup script has to be changed from
    • From: ~~java -cp core/ClearReports.jar com.inet.report.ClearReportsServer~~
    • To: java -jar core/inetcore.jar
  • i-net Designer: the startup script has to be changed from
    • From: ~~java -jar core/designer.jar~~
    • To: java -jar core/inetcore.jar designer
  • Command Line Parameters: the startup has to be changed
    • From: ~~java -jar core/ClearReports.jar -forceImportConfig ...~~
    • To: java -cp core/inetcore.jar com.inet.config.recovery.RecoveryConfiguration -forceImportConfig ...
  • **Servlet Users of custom *.war or *.ear**: the servlet class has to be changed
    • From: com.inet.report.ReportServlet
    • To: com.inet.http.PluginDispatcherServlet. See the reference war file for details.

Note: Developers who utilise API classes such as com.inet.report.Engine from the reporting.jar have to extract this jar file from the reporting.zip plugin now.

Behavioural changes

  • The Web API plugin has been updated with a new remote interface application which requires an additional permission. Every other previous Web API extension now requires this permission as well. Users with specific Web API permissions must be checked and reconfigured in the Users and Groups Manager.
  • com.inet.report.ReportServlet has been removed. If there were extensions from the previously deprecated API, then they have to be moved to a plugin, registering an extension now.
  • The formula functions BytesFromFile and TextFromFile now limits access to files to prevent a path traversal for normal users. The specified file must be from a valid report location, and if it is located in the file system then it must be from the same directory or subdirectory as the report itself.
  • Custom implementations of com.inet.report.PropertiesChecker can not be added to the lib directory anymore. They have to be implemented using a plugin. See <SDK>\\Documentation and Samples\\Plugin - Samples\\PropertiesChecker for an example plugin.
  • Custom implementations of javax.servlet.Filter can not be added to the lib directory anymore. They have to be implemented using a plugin. See <SDK>\\Documentation and Samples\\Plugin - Samples\\ SessionDatasource for an example plugin.
  • The com.inet.report.Listener class has been removed. The web server has not been started by this class since version 15.x. The web server is started using the plugin webserver.zip.

Version 19.0

  • The MySQL Connector/J was updated to version 8.0.13. It is recommended for MySQL Server 5.5 or higher. For older MySQL Server version you could replace the MySQL Connector/J with the version of the previous i-net Clear Reports version
  • With the Server Printers plugin enabled users will not be able to use the server printer after upgrading to version 19. They will have to have group permissions assigned to regain access to server printers
  • The Data Source Manager Interface has been renewed from the ground up. Existing Data Sources in the former User/System/Temp/Session - Scopes will now be readonly from the interface but can still be added and modified using API. An new Application Scope has been added which now supports assigning user groups to restrict permissions
  • Data Sources are now handled differently for reports.
    • Data Sources with the same name may exist with different permissions in different scopes
    • The are looked up in the following order: User Session ScopeTemporary ScopeApplication Scope with permissionUser ScopeSystem Scope
    • Application Scope with permission means that there may be more than one Data Source with the same name but with different permissions. The first that is allowed for the users group will be used

Version 18.0

  • Data will be migrated by the setup into the new format of i-net Clear Reports version 18. Therefore we recommend to backup the program data.
  • The /remote context of the Remote GUI has been removed. Applications beneath this entry point have been moved up one level.
  • If you have a plugin which implements your own AuthenticationProvider then you must rewrite it. To support multiple login sources in parallel the API has changed. A sample for a such a plugin can be found in the SDK.
  • If you use the repository plugin then security settings will be migrated. After the migration it will no longer work with older versions of i-net Clear Reports. Permission patterns are not supported anymore. The administrator needs to check whether the users have the desired and expected permissions.
  • If the remote printing plugin is enabled then in the HTML viewer this is available via menu point.
  • There is a new default plugin that embeds the HTML Viewer into the remote application. That means that users of the HTML Viewer will see the configured logo, will be able to to signup/login and directly access their remote applications.
  • When having permissions or userdata for old, now unused, users, such users will appear as User Accounts in the new Users And Groups Manager. Take a look there and delete obsolete users.
  • The pattern (like "", "vwl.rpt", ...) in the folder permissions of the Repository Browser are no longer supported. After migration the settings will be valid for all report files in the same folder. If other patterns than "*" (all reports) were used then it is necessary to check the folder permission settings in the Repository Browser. The permission "Server Administration" is necessary for that.
  • The C# implementation based on IKVM is deprecated. It was replaced with the ProcessBridge. You can find it in the SDK (https://download.inetsoftware.de/clear-reports-sdk-latest.zip). You find the required folder structure for Visual Studio and Powershell in the readme.html of the folder "i-net Clear Reports .NET Bridge". It is necessary to reimplement your program using i-net Clear Reports API because the API is not compatible with the implementation based on IKVM.
  • In version 18 the option "Mapping Fonts" is enabled by default. If this option is activated, all characters of a logical or not embedded font will be replaced with characters of an embedded font.

Version 17.0

Migration of Scheduler Jobs

Every Scheduler task since version 12 will be migrated to the Task Planner in the setup when updating a system that used the previous Scheduler.

Migrating tasks from the Scheduler to the Task Planner

  • Make sure that the plugin Task Planner - Render Reports is activated
  • Make sure all tasks of all users are deleted from the Task Planner. Migration only occurs if the Task Planner is empty.
  • Restart your server. In the initialization phase it will now migrate the tasks silently.
  • If it does not migrate the Scheduler tasks to the Task Planner please check the log files and send it to our support.

Migration issues

When tasks are migrated from Scheduler to Task Planner, some minor issues may arise, since many things have been streamlined and simplified. See the following hints.

Reports

  • The setting as file: was removed, which gave each generated report a different name. Now the name of the generated file(s) come from the title configured in the report template (.rpt). However, the *File System Action has an option File Name Format which allows you to construct a unique name.

Action settings

  • For Save (on servers file system) the settings Attach date and Attach time was combined into the option File Name Format.
  • For Send via Email, the CC and BCC options were removed, and values from CC are added as normal receivers. The options Put reports in a zip file, Attach date and Attach time were removed.
  • For Print (at server-known printer) the option Count of Copies was removed, it always prints once. Other even older options like orientation and quality which were only available via Java API were also removed.

Time settings

There are some rare combinations of settings which were possible with the old Scheduler but are no longer possible with the Task Planner. It is possible some of the more exotic settings will get a slightly different behavior in the Task Planner.

  • Daily execution with a DayStepSize greater than 1, which means execute every N days. In the scheduler this adds N days from the start date for each next execution. After conversion to Task Planner this always starts at the 1st of month and then adds N days for each next execution. If the DayStepSize is 7 then it will convert to a weekly interval.
  • Weekly execution with a WeekStepSize greater than 1, which means every N weeks. If it is 2 then a Two Weeks interval will be used. Other values are not supported in the Task Planner and when converting this it will set the WeekStepSize to 1.
  • Monthly execution with a MonthStepSize greater than 1, which means every N months. In the scheduler this adds N months to the start date for each next execution. This can only be represented with a Cron Trigger. The Cron starts at a given month and then adds N months for the next execution. When converting such tasks it will determine the start-month automatically in order to match the correct interval. This only works if the MonthStepSize is 2, 3, 4, 6 or 12. For other values it will be every N months, but the execution month will likely be wrong.
  • Yearly execution with a YearStepSize greater than 1, which means every N years. This is not supported in the Task Planner and when converting this it will set the YearStepSize to 1.
  • Delete this task after Execution: This feature is not available in the Task Planner.
  • Multiple executions on same day: one Time or Cron-Trigger does not support this, but you can add multiple triggers to the same task. When those tasks are migrated it will create many triggers automatically.
  • End execution after N executions or after a given Date: this feature is not available in the Task Planner. When converting expired tasks they will be deactivated.

Custom Actions

Old custom actions will not work after migrating to the Task Planner. Those actions must be replaced with custom Jobs and/or Actions. See the programming samples for how to implement your own Job or Action.

Dynamic Properties

Old dynamic properties classes will not work after migration to Task Planner. If you loaded your dynamic values from a Database then you can probably replace your custom dynamic properties with a Database Series. For other cases it should be replaced with a custom Series implementation. See the programming samples for how to implement your own Series type.

Task owner

In Task Planner, each task always must have an owner, so a task belongs to a user. Migrated tasks will have Scheduler as owner. Because certain triggers, jobs and result handlers require certain permissions the artificial user Scheduler gets some permissions automatically if you have System Permissions enabled. If you remove the permissions it can happen that tasks can no longer be executed.

If you want to move the tasks to another user then you must duplicate a task and then delete the old one. The new task will belong to the currently logged in user.

The Repository: permissions and ownership

Due to the new user the reporting server is running with there may be permission problems when accessing the Repository browser. You should look up the path of your repository in the Configuration Manager and check the permissions of this path in a console program on the server.

It is important for the reporting server that its user has read+write permissions to every file and additional execute permissions for directories. The owner of each file and directory should be the user the reporting server is executed with.

You can find out the respective user using ps aux | grep java.

A server restart is required after these changes were made.

Report Renderer Job

Version 23.4

  • Scheduler migration from version 16 and earlier: The automatic migration of Scheduler tasks from versions 16 and earlier is no longer supported. In order to keep all of your configured Scheduler tasks please install an intermediate version, such as v22.10, before updating to the desired version 23 or later.

Sample Reports Repository

Version 23.10

  • The Sample Reports Repository plugin replaces the sample reports, originally delivered with the installer.

Discord

Version 21.10

  • Any webhooks found in existing Task Planner Discord actions will be added to the central Discord Incoming Webhooks list in the configuration.

Field Settings

Version 24.4

  • Custom field of type "Selectable Values" with both options "Own Value" and "Multiple Values" activated are migrated to the option "Own Value". A combination of both options is not possible anymore.

HTML Engine

Version 24.4
The HTMLEngine is a core component of all our products. As such, it must be included in the plugins directory at all times; otherwise, the server will not start.

i-net CoWork

Version 22.4

Backups

Backups for MeetUp that were previously configured and used in maintenance are no longer compatible. CoWork must be activated again in the configured backup.

It is recommended to create fresh backups before and after each update.

PDF Parser

Version 24.10

  • The parser.pdf plugin replaces the previous decoder.pdf plugin

System Core

Version 24.4

  • The minimum required Java version is Java 17.

Version 23.10

  • The version 23.10 is the last version that supports:
    • Java 11
    • Jakarta EE 8 application server
    • Servlet Specification 3.1
    • WebSocket 1.1

Version 23.4

  • The Docker Containers have been updated to run with a restricted user instead of the root users.
    • The new restricted users id and group id are 1000.
    • Host mounted volumes have to be updated to reflect the new user and group id manually.
    • Host mounted volumes mount points of the users home directory have to be updated from /root to /home/<username>. The <username> is determined using the whois command in the container
    • Additional information is available from our FAQ: https://faq.inetsoftware.de/t/upgrading-to-user-restricted-docker-container/277

Web Server

Version 22.10

  • The Allowed Cross Origins option is renamed to Allowed Origins and performs additional checks on the server side when configured.
    • The external visible URL is also sent as allowed origin using the CORS header
    • Connections to the server (either HTTPs or WSs) are also checked against the list of allowed origins and the external visible URL

Plugin Changes

Version 24.10

  • Weblog data sources also allow the parsing of *.csv files as a replacement for the obsolete CSV driver.
  • Users can directly open report files rendered using the html.zip export format stored in the Drive.
  • Enlargeable images that extend beyond their parent section are no longer cut off at the bottom of the page if they fit on the next page.
  • A new value fullmerge has been added to the CellDistribution parameter for the XLSX, ODS, and XLS export formats. This value allows all cells of an object to be merged into a single cell.
  • Support for Boxed Bar Chart
  • In left-aligned text, any whitespaces at the end of the line are also output.
  • Additional report URL locations is checked with complete folders and not just with a simple startsWith.
  • For divisions in formulas or totals, the numbers are now converted to fixed point numbers with a higher tolerance in order to minimize rounding errors.
  • Embedded images (HTML Basic and Markdown) are also output in the editable DOCX export format.
  • Subreports that do not start at their top position and if a Keep Together flag applies, may not use all the available space on the next page, but are cut off too early.
  • ToWords formula function added for the Indonesian language.
  • The behavior of “To SQL” in the database wizard has been improved so that quoted alias names are also recognized and references of columns with alias names are better matched.

Fixed Bugs

  • Some elements of SVG graphics were missing in PDF format.
  • The fields in crosstabs contained position frames, although the report was exported as editable files in Microsoft Word format (DOCX).
  • Prevents a rare NullPointerException in cache management which led to an Internal Server Error (500).
  • SVG output format for report which show a prompt dialog.
  • In HTML (advanced) text there were problems with display:inline-block which could lead to unexpected breaks when rendering.
  • Black/white images such as QR codes were missing when printing under macOS from JavaViewer or Designer.
  • Several configuration settings for the XLS output format were used only after a server restart.
  • Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.
  • The HTML Viewer modified the line spacing incorrectly to calculate font auto scaling options.
  • The date and time data type detector accepts only years in the range 0 to 9999 as valid dates for JSON and XML data sources.
  • Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.
  • Wrong value for tag ConformanceLevel error occurred when the FacturX profile BASIC WL or EN 16931 was used.
  • XML data sources duplicated content if the XML file contained a & encoded as &amp;.
  • Regression: It was not possible to open a report using file: key URL parameter, e.g. https://servername:port/file:/<path>/<reportfile>.rpt.
  • When a subreport was moved to the next page to handle a 'keep-together' flag, lines and boxes across multiple sections within the subreports began at the top position.
  • Performance of SQL generation with complex formulas for grouping and sorting improved.
  • NullPointerException in XLS export with multi-section lines that starts in the hidden report header area.
  • Some elements of SVG graphics were missing in PDF format.
  • NULL values of the Show Value formula will be ignored now and not be rendered as 'NULL' string.
  • Fixed various issues related to standard and custom number formatting in export format XLSX.
  • Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer
  • A stack overflow error was produced in the HTML Viewer when setting an incompatible default zoom and opening a subreport.
  • Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.

Version 22.10

  • The rendering output format Microsoft Word (*.docx) is now supported
  • Improved image quality in PDF output format if it is not saved in JPEG or PNG format in the report template.
  • The rendering output format JSON is now supported
  • Rendering text as HTML-Advanced output does not embed images anymore, but downloads and references them. The HMTL-Viewer supports these images even for URLs referenced in the inlined css, e.g. for background images.
  • Comments on MySQL table columns are no longer used as column alias.
  • Improved performance of date/time parsing functions date/time and datetime in formula
  • Continuous Stacked Bar Chart is now supported
  • ShowValue can now display a value from a formula on simple chart types.
  • Images in HTML-advanced fields are stored as separate files instead of inlined data when exporting to HTML
  • Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.
  • Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.
  • MariaDB has been added to the supported data sources. It is necessary to add the driver MariaDB Connector/J.
  • Section with enabled "Print at Bottom of Page" was not printed at the end of the page if HTML output format was used and the page before this section was empty.
  • Sorting of fields did not work in HTML viewer
  • Under certain circumstances, narrow blank table rows occurred in XLSX and ODS export when the report contained horizontal lines near other fields and they were not correctly rasterized.
  • Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer
  • A stack overflow error was produced in the HTML Viewer when setting an incompatible default zoom and opening a subreport.
  • Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.
  • Wrong value for tag ConformanceLevel error occurred when the FacturX profile BASIC WL or EN 16931 was used.
  • When a subreport was moved to the next page to handle a 'keep-together' flag, lines and boxes across multiple sections within the subreports began at the top position.

Version 22.4

  • Font replacement improved for 'HTML advanced' formatted text. The replacement works on character-level now, just like in other text types
  • TotalPageCount is evaluatable in a trigger function
  • Improvement of continuous charts
  • added support for markers
  • consider line style "None" to only show markers
  • added support for combining of continuous charts with XY charts
  • Fixed a NullPointerException printed to the console when logging is disabled

Version 21.10

  • Word break was improved for a more natural text flow
  • The alignment value of a field will now be applied in case of text interpretation 'HTML-advanced' as well
  • New output format added: Email. It is a simple HTML format. A single file format that can be used as email body. It can be triggered with the URL parameter: init=email
  • Formula function AddAttachment(String,Binary) added. It can be used to add embbedded files to PDF output format
  • Support for WebP images and other image formats added. The plugin "ImageIO Extension" is required. It can be installed using the plugin store
  • PDF export: Character replacing for embbeded fonts containing character which are in code blocks which are not in the code block list of the font
  • Reuse of images when exporting an embedded PDF to PDF, reduces the overall file size
  • Images in HTML content will no longer be down scaled for printing. This will result in a better resolution for images in exports (e.g. PDF) but may cause a larger file size
  • Formula expression result added as placeholder in result actions. It can be used to return a single value from the report to the task planner which can then be used using the [report.formula] placeholder
  • NoClassDefFoundError: Could not initialize class com.inet.cache.internal.MemoryObserver - occurred with OpenWebStart
  • Set a custom product title for external representation
  • Add WebAPI /api/reporting/report/render endpoint to render reports using Token Authentication
  • Continuous Numeric Category Axis can now also be set to logarithmic
  • Use the correct database row for inlined fields in crosstab labels such as the total labels
  • Support for exporting CSV files larger 2 GB added (format csv and data)
  • Add support for stored procedures for PostgreSQL
  • Comments on MySQL table columns are no longer used as column alias.
  • Support for the decimal separator of a user-defined number format in XLSX format
  • Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.
  • Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.
  • Fixed the loss of datasources after a BackingStoreException in Preferences.sync()
  • Fixed the gray background that occurred when printing from HTML viewer
  • Fixed a NullPointerException printed to the console when logging is disabled
  • Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer
  • Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.
  • When a subreport was moved to the next page to handle a 'keep-together' flag, lines and boxes across multiple sections within the subreports began at the top position.

Version 21.4

  • PDF export: The rendering time is used as creation time of the PDF file. In earlier versions it was the creation time of the rpt template
  • The XLSX / ODS export creates fewer very small columns. This can cause problems if the report elements are not very well aligned and also very tightly designed
  • Embedded fonts preserved the original font family name now. This can result in a different printing output (print job size) via Java report viewer client if the same font is installed on the client system
  • Jpeg2000 encoded images supported
  • Font replacement improved for PDF reports if enabled
  • Perfomance of DatabaseMetaData.getTables() improved
  • HTML export:
    • New implementation of HTML-Advanced in HTML-Export added. The result will now be fixed by i-net Clear Reports, leaving less room for render differences in the client browser
  • XLSX / ODS export:
    • Cell-Distribution of output formats XLSX and ODS completely rewritten
    • For compounds reports with URL parameter "reports" the table sheets in ODS/XLSX use the title of the underlying rpt file. In older versions the title of the first rpt file was used
  • Web API: Upload and verification of a single or multiple file resources into the repository enabled
  • Apache Cassandra database supported as datasource. The CQL (Cassandra Query Language) can be used to fetch data
  • MongoDB database supported as datasource
  • Perfomance of DatabaseMetaData.getTables() improved
  • Weblog datasource added
  • It is possible to upload and verify a single or multiple file resources into the repository using Web API
  • A report (engine) can be printed to a local printer using .NET API
  • Private key authentication to Task Planner FTP tasks added
  • Some PDF files embedded in the report are incorrect displayed in the PDF export. Depending of the structure of the embedded PDF file some images can be replaces with other images of the same PDF document
  • ClassCastException in Maintenance with MongoDB persistence occurred
  • Rendering issues occurred in the "Options | i-net Clear Reports". The "i-net Clear Reports" icon was missing and the dialog "Manage configurations" was not displayed correctly
  • Prompt request dialog did not work in the report repository when using a guest account

Security Fixes

  • Enables the master password to be deleted. The master login button is now hidden via a new flag.
  • PDF files exported using encryption could be opened with Safari without a password if only the user password was set.

Version 24.4

  • The Crystal Reports 8.5 flag "Convert DateTime to Date" is no longer supported.
  • The Zxing barcode JavaBean supports the code GS1-Data-Matrix.
  • MariaDB Connector/J driver added.
  • Removed Support for ReportServletJP
  • The non-functioning export of JAR files, which also contained the Report Viewer, has been removed from the server.
  • Added dynamic update of available report renderer formats that can be selected as default rendering formats in the configuration.
  • New Java annotation '@DoNotOptimize' for user defined functions. This annotations prevents functions with constant parameters from beeing optimized and thus from beeing always called once. '@DoNotOptimize' should be used whenever a function manipulates data instead of just returning a value.
  • Every report in the drive was executable for all users, even without the permission Execute All Reports.

Version 23.10

  • Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.
  • Merging parameters of stored procedures with the same name in different catalog/schema is prevented.
  • The obsolete Datasource Property driverLibrary was removed.
  • In the HTML Viewer, using the search now allows to find more than 50 entries. Once the user went through all the entries to 50, another set of 50 entries will be searched in the the report.
  • The conversion "To SQL" in the database wizard now also supports "SQL expression fields" used in formula fields.
  • Enlargeable images that extend beyond their parent section are no longer cut off at the bottom of the page if they fit on the next page.
  • The default value of the "Allow unknown Data Sources" setting (key permission.allowunknowndatasource) has been changed from "true" to "false".
  • Security Update for CVE-2024-1597
    • pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

Version 23.4

  • Added Markdown text interpretation in the CommonMark and i-net CoWork flavors.
  • PostgreSQL version updated because of CVE-2020-13692

Version 20.10

  • Performance improved when embedding large font files
  • Date formats with regional settings (e.g. en-UK) supported in prompt dialog
  • Improved compatibility for old save states with dataviews
  • New notifications are now directly shown in the web client when the OS notifications are disabled or not possible
  • SameSite=Lax Attribute set for login cookies
  • Changes of heap memory, language, country and VM arguments will work with a server restart from the web interface. Before a service restart was required
  • Web applications can now be installed as Progressive Web App (PWA)
  • Note added to configuration property "Restrict Permissions" in dialog "User & Groups" because when global permissions are not restricted then all users have administrative access!
  • Diagnostics now show cache memory usage
  • Maintenance: It is now possible to restore backups that were not made with the current version. The backup is checked for whether it is compatible with the current version, and if so, it is able to be restored
  • Changed AdHoc default render format in the WebGUI to PNG for a lossless result
  • Use the correct database row for inlined fields in crosstab labels such as the total labels
  • ToWords formula function for Hungarian language adds a space as thousands separator
  • Break algorithm improved for Text Interpretation "HTML(advanced)" to prevent breaks in text lines
  • Use getColumnLabel() instead getColumnName() for DB2 driver version 4 and later. This has an effect for a SQL command with "AS" keywords on columns

HTML Report Viewer

  • Prompt dialog is pre-filled with first default prompt values
  • Break algorithm improved for Text Interpretation "HTML(advanced)" to prevent breaks in text lines
  • Print preview was empty if the "HTML Viewer Module Toolbar" plugin was enabled
  • Values of defaultzoom parameter changed to PAGE_FIT, PAGE_WIDTH and PAGE_HEIGHT
  • The HTML report viewer group tree supports several new actions: the tree can be closed using a toggle button, it can be resized by dragging the divider. Entries in the group tree can be expanded and collapsed (default) using a triangle button in front of every entry. The width and visibility of the group tree is being saved in the browser for later sessions
  • Remote Printing plugin added as an print option to print the current report on the server
  • Reports that required a prompt does not open properly in the Internet Explorer 11 after the prompt request dialog was closed
  • The HTML Report Viewer will now export reports with more than 100 pages to PDF instead of printing them using the browser function
  • If a report page can not be found in the HTML Viewer after refreshing the report (out of range error), the last page of the report will be opened. The viewer will be blocked until the report finishes rendering
  • CSV export from the HTML Viewer with custom delimiters set to 'Other' or 'Fixed column width' did not work
  • Prompt parameter value was decoded. This was problematic for PropertyChecker implementations
  • "Uncaught URIError: URI malformed" or "URIError: malformed URI sequence" occurred if group tree node contains special character like '%' and drill down was used on this node
  • Image size increases because original image data was not used
  • Export format "HTML.ZIP" was not available if not all export formats allowed for this report
  • Additionaly to the percent value the following values are now possible: "Fit Screen",​ "Page Height"​ or "Page Width"
  • Prompt parameters were double-encoded.
  • Export format "HTML.ZIP" was not available if not all export formats allowed for this report
  • Additionaly to the percent value the following values are now possible: "Fit Screen",​ "Page Height"​ or "Page Width"
  • Prompt parameters were double-encoded
  • HTML report viewer does not use embed fonts to get font metrics
  • "Uncaught URIError: URI malformed" or "URIError: malformed URI sequence" occurred if group tree node contains special character like '%' and drill down was used on this node
  • Fix for Microsoft IE/Edge browser: Disable endless mode while rendering the report; Show Mouse-Not-Allowed for disabled menu entries.
  • The jump position for search results and the group tree has been calculated wrongly when the report viewer page was scaled/zoomed in.

Fixed Bugs

  • Exception "java.lang.IllegalStateException" with message "Not valid for write: id=..." occurred
  • Error occurred with expired session: IllegalStateException: Invalid for read: id=xxx created=xxx accessed=xxx lastaccessed=xxx maxInactiveMs=xxx expiry=xxx
  • PDF export: Character replacement for embbeded fonts improved containing characters which are in code blocks which are not in the code block list of the font
  • Regression in Diagnostics occurred because of that only the first 8 entries in list was show because the pagination was broken
  • ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used
  • OutOfMemory or ReportCache errors occurred because of problems with false positive low memory detection. The log output contains the warning: "There was a low memory situation and possibly some jobs were canceled." and maybe other subsequent errors
  • It was not possible to login if a localhost URL was used in Chrome browser to open the web interface
  • Access to the repository with Login using WebDav has not worked on Windows
  • Wrong PDF signature configuration leads to a failed designer start
  • WebDav access to the report repository has not worked on Windows. No login was requested
  • Temporary errors (Extenal visible URL '...' was not validated) occurred during validation of Private Cloud License
  • PDF export: IndexOutOfBoundsException and NullPointerException occurred with embedded OpenType font
  • Chinese content was not aligned well on right side if Justified was used
  • PDF export:
    • Chinese characters were missing because of a bug with word wrapping that was wider than the field, surrogate characters and font replacement.
  • IllegalStateException occurred with message Unknown operation: com.inet.report.renderer.doc.controller.bk@0 if:
  • subreport contains TotalPageCount and the last instance of the subreport has no rows
  • harddisk cache was used
  • XLSX / ODS export: Exception "java.lang.IllegalArgumentException with message x2 must not less than x1" occurred if the report contains a crosstab
  • XLSX / ODS export: Percentage number was incorrectly displayed (multipled by 100)
  • Rare rounding error occurred when reducing the scale of a number by more than 9 digits in a formula function
  • Patches the SQL command to query the metadata (column names) was wrong if the SQL statement contains strings which contains brackets, e.g. REPLACE(A.FIELD,';)',')'). In this case WHERE 1=0 was added after the ORDER BY clause
  • Oracle table source identifier with a package name will be always used as name of a stored procedure and never as name of a table. This makes it possible to use the same name for a package stored procedure and a table
  • Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.

i-net Designer

  • The following errors occurred sometimes in Remote Designer when opening a report from the repository: "No repository configuration found for file: "...rpt"" and "Not authorized. Please check your permissions and restart the Designer if applicable.".
  • It was not possible to edit a 3D Chart because the properties dialog does not open
  • Wrong PDF signature configuration leads to a failed designer start
  • The error "HTTP ERROR 400 Duplicate valid session cookies" occurred with remote designer
  • Error "cannot access class sun.print.SunAlternateMedia" occurred in the Remote Designer used with Java 9
  • Support for the Windows setting "Large Fonts" in the i-net Designer added if it is used with Java 9
  • Now the user formula can be named the same as Property Formulas
  • Remote i-net Designer requires the adhoc plugin
  • The Remote Designer now supports the JNLP protocol for a direct start of the JNLP file. The HTTP URL stays available as fallback link
  • Exception com.inet.cache.internal.CacheLoadException occurred on Unix if there are 2 instances running
  • Incorrect error markers occurred in problem finder. This error only occurred for formulas that were using a 'user defined function' when loading a report from the repository
  • Fixed the error "cannot access class sun.print.SunAlternateMedia" in the Remote Designer with Java 9
  • NullPointerException occurred if a condition in if then operator was not true
  • In case of a long list of system fonts the i-net Designer needed a long time to start
  • NullPointerException with custom Look & Feel occurred
  • Hairline box without background was not printed in the Java output (report preview)
  • Problem Finder does not warn if all Page Header sections together are longer than a page but "Underlay Following Section" is activated for one of the Page Header sections
  • NoSuchMethodError: com.inet.viewer.ViewerUtils.c() occurred if the remote Designer was started from i-net Clear Reports running in a servlet engine like Tomcat. In this case it was not possible to open a report or to create a new report

Version 16.4

  • Formula Editor: NullPointerException occurred if no values were set for parameter fields used in the formula
  • NoSuchMethodError: com.inet.viewer.ViewerUtils.c() occurred if the remote Designer was started from i-net Clear Reports running in a servlet engine like Tomcat. In this case it was not possible to open a report or to create a new report
  • Report Error [217] Unknown image format occurred while adding encoded HTML document.
  • It was not possible to add a MySQL stored procedure to the report in the i-net Designer.

Fixed Bugs

  • NullPointerException occurred in case of nested user function calls in formulas
  • XLS export: "Suppress if Duplicated" does not suppress duplicate fields in some cases
  • Unhandled Exception "java.lang.InternalError" with message "couldn't create component peer" occurred with Java 8u152
  • Fix the error "Report Error [1401] Illegal argument for DATE sproc ..." with SP parameter of type DATE
  • RTF export:
    • Font names in font table should be written using an East-Asian character set encoding instead of unicode
    • Content on some text boxes not displayed completely if the text box contains a lot of text
  • Crosstab property "Suppress Row Labes" in "Group Options" does not work for more than one field in crosstab rows, if it is enabled for more than one field in crosstab rows
  • Fix problems when NofM and PageCount are used alone in a subreport and not in the main report and hard disk cache is enabled. This can lead to missing pages of the main report and the subreport will miss the output of NofM
  • Only the end of a "Can Grow" field was displayed at the 2nd appearance of the field if the field has been continued on a second page
  • Patching the SQL command to query the metadata (column names) was wrong if the command contains function "listagg(...) within group ...". In this case "WHERE 1=0" was added to the listagg function
  • Italic text with right-aligned or justified was truncated on the right border of a text element.
  • XLSX export: If the property "New sheet per top-level group" was enabled then it could occur that an image was not displayed on a new sheet if it was not already displayed on the first sheet.
  • CSV and DATA export: UTF-8 BOM added.
  • Unknown operation error occurred if the report contains "Page N of M" or TotalPageCount not on the first page but on other pages and hard disk cache is used.
  • Java script injection was possible in the error handler.
  • "IllegalArgumentException: Invalid character found in the request target." occurred. To solve it username for StyleSheet URLs normalized.
  • PDF export: NullPointerException occurred during export in PDF/A format.
  • ORA-28040: No matching authentication protocol - occurred with Oracle 12c
  • It was not possible to open an .rpt file with a double click in the i-net Designer. The i-net Designer installer now register the .rpt extension correctly.
  • It was not possible to add ZxingBarCode JavaBean to a report because of missing files in "lib/beans" directory of i-net Designer installation.
  • Formula Editor: NullPointerException occurred if no values were set for parameter fields used in the formula.
  • It was not allowed to resize the render window in repository browser if Internet Explorer was used.

Version 16.2

  • Add class DocumentOutputStream to create rendered documents with fewer memory usage or write asynchrone.
  • Stored Procedure is not executed before the parameter request dialog appear. This improves the performance of adding large stored procedures to the report.
  • Add also pieces of WHERE from the Record Selection Formula if in addition to the joined tables there is an SQL Command.
  • NegativeArraySizeException occurred while parsing an BMP image. BMP images with top down line order now supported.
  • PDF export:
    • The choosen embedded font for supplementary code points was incorrect. Symbolic fonts like SansSerif were not replaced correctly.
    • Replacement of logical Fonts has not worked correctly if PDFA export was used.
    • Texts with supplementary characters can be now be exported in PDF format.
  • The following exception occurred if a certificate with IBM JavaVM was used: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available.
  • XLSX export:
    • Skip zero characters in XLSX output because this produce corrupt XLSX files.
    • The border of text elements was drawn with double line thickness.
  • The error "Data not found : page=1.html" has occurred sometimes.
  • A not blank section could be detected as blank section if:
    1. the section properties "Suppress Blank Section" and "Keep Together" are enabled
    2. the section contains only a subreport which Top position is not at the top of the section
    3. the free space of the section above the subreport does not fit on the the previous page

Security Fixes

  • Critical Security Update for Help Plugin (CVE-2020-11431)
  • Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)
  • Fixed multiple XSS vulnerabilities (login was not required).
  • Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

Version 16.3

  • Certificate from Let’s Encrypt certificate authority can be requested in the "Web Server" dialog.

SDK

  • HTML Viewer Print via PDF Plugin: Error occurred: Class Not Found: com.inet.htmlviewer.printpdf.HTMLViewerPrintViaPDFPlugin
  • Samples for PropertiesChecker and EngineFactory plugins added
  • API method CertificateInfo.getInstance, parameter keyStorePathOrUrl supports path or URL. Keystore file for signing PDF files can be set as URL
  • The C# implementation based on IKVM is deprecated. It was replaced with the ProcessBridge

Security Fixes

  • Security Fix: Open Redirect Vulnerability occurred (CVE-2020-28150)
  • Security Fix: Jetty CVE-2020-27216
    • In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability
  • Possible JavaScript injections prevented
  • Security Fix for CVE-2020-13692
    • PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE

Version 20.4

  • User defined functions can now be used in the record selection to be executed on the database. This requires all parameters of the function call to be constants or prompt fields
  • Improved cell distribution for crosstabs in ODS and XLSX format
  • Login of Members of Windows group Guest is possible

Fixed Bugs

  • Zero value displayed with sign (-0) if the result was from a negation in a formula
  • Error "Report Error [1401] Illegal argument for DATE sproc ..." occurred with SP parameter of type DATE
  • Arabic text in text export truncated
  • Security Bug: Improved security to prevent 'efail' attacks. Image URLs need to be valid in text interpretation "Advanced HTML"
  • Fix problems when NofM and PageCount are used alone in a subreport and not in the main report and hard disk cache is enabled. This can lead to missing pages of the main report and the subreport will miss the output of NofM
  • Overlapping fields in Ad-Hoc reports with sums in group footers occurred
  • Truncated Arabic text occurred in text export
  • Orignal SQLException was hidden by TransferException

Task Planner

  • Use the client time zone (if available) to display the next execution times
  • Placeholder from some triggers was added
  • A task can be executed parallel multiple times now
  • XML export added to the task planner
  • Prompt values added as placeholder that can be used for example for report name or in email action.
  • It is now supported to set "Delete previous results after X days" for a file action. With this property it is possible for example to delete old backups
  • Error message improved if the Engine Cache Timeout occurs. In earlier versions an ArrayIndexOutOfBoundsException occurred
  • Permissions for the task planner can be set via groups now. The task owner must login once after the update to activate this
  • All default values of a prompt parameter will be set if the prompt field supports multiple values on new report jobs
  • Task Planner rights can be set via group rights in "Users and Groups" app
  • It is possible to export/import a task using Web API
  • Sorting and grouping of tasks by owner was wrong
  • If a prompt field of a report supports "Multiple Values" then all default values of the prompt will be added to the array of values
  • Export Properties was missing in "Jobs" dialog "Report" for Excel and Open Document Spreadsheet
  • CSV export was missing
  • Problems in the task planner with the reporting cache occurred if a previous task execution has produced an error
  • It could occur that the TaskPlanner clean up the 'normal' user comparisons
  • Default values of Prompt fields were not read from the rpt file
  • NumberFormatException: For input string: "<long number>" occurred
  • Filename of CSV export with enabled "Data only" property and postscript export was wrong.

Fixed Bugs

  • Formatting was broken if alpha numeric sorting was used for a group
  • Use getColumnLabel() instead getColumnName() for DB2 JDBC driver version 4 and later. This has an effect for a SQL commands which use column alias ("AS" keywords on columns)
  • Hairline box without background was not printed in the Java output (report preview)
  • "Check Connection" in datasource properties was very slow with Oracle database version 12c release 2

Security Fixes

  • Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)
  • Fixed multiple XSS vulnerabilities (login was not required).
  • Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders
  • The formula functions BytesFromFile and TextFromFile now limits access to files to prevent a path traversal for normal users. The file must be from a valid report location, and if it comes it from the file system then it must be from the same directory or subdirectory as the report itself

Version 19.2

  • The "External visible URL" being used for the EHLO command when connecting to an SMTP server
  • Any subdomain (like *.example.com) on "Allowed Cross Origins" supported
  • PDF export: Dejvu-Sans is used as default font for font embedding if no other font is available in the font path
  • Fix the recognition of value data types for JSON data sources if the source files contain white spaces
  • Null values in JSON data source supported
  • New data Sources will be saved in the new application scope now
  • The property "driverLibrary" has been removed from the list of properties for Data Sources. Additional drivers for databases have to be provided using the "lib" directory of the installation
  • Thai support for the formula function ToWords
  • Add Engine.SetData to the .NET process bridge
  • Persistence Repository implementation added
  • Benchmark for CPU and IO rating added in Maintenance application
  • Engine.SetData added to the .NET process bridge

Data Source Manager

The Data Source Manager has been reworked from the ground up and comes with an all-new Remote GUI interface. It now supports assigning datasource permissions to specific user groups

  • Completely new Data Source Manager Interface
  • New Data Sources will always be created in the Application Scope
  • Existing Data Sources in the former User/System/Temp/Session - Scopes will be readonly in the Remote GUI
  • Assigning user group permissions to datasources can be performed by users with the User Manager permission.
  • Data Sources can be exported individually using the cards menu and multiple Data Sources can be exported using Click and CTRL+Click / CMD+Click to select and then using the top menu "Export" Button
  • The Import (top menu → Add → Import) of Data Sources will always create the new Data Sources in the editable Application Scope
  • The former Scopes are available via API only. The Remote Interface only displays the indirectly using the "visibility" entry in the Data Source card
  • Default value of the property "Supports SQL92" in a new Oracle datasource is true now
  • For a new Oracle datasource the default value of the property "Supports SQL92" was false. Since Oracle version 9 it supports the SQL ANSI 92 syntax. Therefore the default value is true now
  • The datasource manager allows to enter a custom database/catalog name while still suggesting existing names
  • Cannot read property 'driver.group.basic' of undefined occurred if a datasource was saved without modifications

Fixed Bugs

  • Possible deadlock on startup occurred if a custom configuration was set via "clearreports.config" or "clearreports.configfile"
  • Permission check with Authentication Groups for logged in users was wrong
  • Multiple values in the property "Other VM Arguments" in configuration dialog "Web Server" were not supported
  • Rare rounding error occurred when the scale of a number was reduced by more than 9 digits in a formula function
  • Access to the repository with Login using WebDav has not worked on Windows
  • OutOfMemory or ReportCache errors occurred because of problems with false positive low memory detection. The log output contains the warning: "There was a low memory situation and possibly some jobs were canceled." and maybe other subsequent errors
  • Security issue "Cross-Site Scripting" occurred
  • Unknown operation: com.inet.report.renderer.doc.controller.bk@0 occurred with TotalPageCount (NofM) in subreports
  • Property RELOAD_ON_NEW_REQUEST does not work if there was no output format specified in the report URL
  • "java.io.NotSerializableException: com.inet.font.truetype.i" occurred if a font path was set and "Page NofM" or PageCount was used in very large reports. Because of that the server could hang
  • Regression occurred: Special field "current user" and the formula WebUserName returns the display name. Now it returns again the id of the user and not the display name
  • Embedded fonts used in PDF documents embedded in a sub report where missing in the created report
  • Layout of text in right to left fonts (Arabic, Hebrew) was wrong, if the text parts have different styles (bold, italic, etc.). It occurs in the output formats: PDF, PostScript, image and Java report viewer
  • Sorting in charts with 2 groups was incorrect if the first category value does not contains all series values of the chart. In this case the sorting of the series was incorrect
  • PDF export: Embedded fonts with glyphs in the range of 0xF000-0xF0FF were not dispalyed in PDF file
  • CSV export: Empty CSV export with encoding UTF8 opened with MS Excel. MS Excel shows the content "" in the first cell instead of a complete empty table
  • ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used
  • NullPointerException in debug mode if a plugin has no version information
  • Patching the SQL command to query the metadata (column names) was wrong if the command contains function listagg(...) within group .... In this case WHERE 1=0 was added to the listagg function
  • XLSX / ODS export: Percentage number was incorrectly displayed (multipled by 100)
  • Patches the SQL command to query the metadata (column names) was wrong if the SQL statement contains strings which contains brackets, e.g. REPLACE(A.FIELD,';)',')'). In this case WHERE 1=0 was added after the ORDER By clause
  • Break algorithm improved for Text Interpretation "HTML(advanced)" to prevent breaks in text lines
  • Oracle table source identifier with a package name will be always used as name of a stored procedure and never as name of a table. This makes it possible to use the same name for a package stored procedure and a table
  • IllegalStateException: REGISTER error occurred because a classloader loop occurred if the i-net Clear Reports libaries has been added to /lib directory
  • Layout of text in right to left fonts (Arabic, Hebrew) was wrong in the design view, if the text parts have different styles (bold, italic, etc.)
  • NullPointerException occurred when opening an rpt file with corrupt subreport, created by an older i-net Designer version
  • XLSX export: Line offset was wrong on third sheet if "New sheet per top level" was enabled
  • The automatic font scaling did not work as expected in Internet Explorer
  • Buttons to sort and filter task list not displayed if Task Planner list is very long
  • Report server was started with command line parameter "-importdatasource" or "-forceimportdatasource"
  • Configuration data lost if MongoDB was used for persistence with multiple report server instances
  • Synchronization of cached user data, groups, task planner, maintenance data between multiple nodes was incorrect if using database persistence (MongoDb, Redis)
  • Fix the recognition of value data types for JSON data sources if the source files contain white spaces
  • In Chrome browser it was not possible to save the PDF result of a report if it was already displayed in PDF viewer of the Chrome browser. The save prompt indicates ‘Save as type: All Files (.)’ instead of PDF
  • Text export: Charset was set incorrectly
  • Property RELOAD_ON_NEW_REQUEST does not work if there was no output format specified in the report URL
  • NoSuchMethodError: 'void java.lang.SecurityManager.checkSystemClipboardAccess()' occurred if Java report viewer was use with Java 11
  • Hairline box without background was not printed in the Java output (report preview)

Version 19.0

  • Notification for low disk space added
  • Locale of the client is used for formatting in the prompt dialog, e.g. for date formatting
  • The webserver can be configured to send addtional header fields with HTTP responses to, e.g. enforce HSTS or provide custom server information to the web client
  • Users are no longer required to have Java installed separately anymore: the Designer now supports a protocol handler to open a locally installed i-net Designer instead of the JNLP variant
  • It is now supported to give users or user groups the permission (serverprint) to remotely print on specific printers connected to the server. Now each group can be set to only print on its own server / network printer
  • Multiple LDAP server on authentication supported as fallback
  • Account id of the user added to the "stored data" view
  • A master account will be created after a valid login using the master password even if the setting "Create new User" is deactivated
  • New feature "stay logged in". After login, each user will remain logged in until they log out. After 28 days, they will be automatically logged out. It is also possible to delete user sessions in the "User and Groups" module, if you have the permission to access this module
  • Login Sessions displayed in the User details
  • It is now supported to select a preconfigured datasource for a database series in the Task Planner. The user defined JDBC settings are still possible
  • Percent formatting in the XLSX export format was incorrect
  • Warning for required .NET Framework 3.5 removed
  • Configuration data lost if MongoDB was used for persistence with multiple report server instances
  • Infinite loop occurred when using report viewer in an iFrame

Version 18.1

  • Text export: Encoding of lines and boxes in text format improved
  • Repository events added to Event Log
  • XML Export added to the task planner
  • Endless loop with a multiple page (PDF) document in a dynamic image location occurred
  • Percent format in XLSX format shows 0%
  • FactoryConfigurationError: "Provider com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl not found" occurred
  • Postscript export: Images with 8 bit gray color are displayed incorrectly or postscript printer does not print it
  • IllegalStateException occurred with message "Unknown operation: com.inet.report.renderer.doc.controller.bk@0"
  • Security issue "Cross-Site Scripting" occurred
  • Rare rounding error occurred when the scale of a number was reduced by more than 9 digits in a formula function
  • ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used
  • Stacktrace of ReportError was displayed to the user
  • Reports that required a prompt does not open properly in the Internet Explorer 11 after the prompt request dialog was closed
  • Default zoom was too small if the report was exported in only one HTML page
  • Authentication on Repository failed if Remote Designer was started in Repository Browser
  • Hairline box without background was not printed in the Java output (report preview)
  • "NamingException: LDAP response read timed out" occurred if Windows Active Directory was used for authentication with a large number of groups
  • The following error has occurred in Internet Explorer while restoring a backup: "Object doesn't support property or method 'includes'"
  • Sorting and grouping of tasks by owner was wrong

Version 18.0

  • The JDBC-ODBC-Bridge now supports VARCHAR values larger 255 characters
  • Support for SSL certificate in PEM format added
  • The report URL parameter "reports" now supports XLSX and ODS. A new sheet will be created for each report
  • Userinfo (user:password) supported in the report URL parameter. It will be send as Basic authentication header
  • Support for XLSX and ODS format for multiple report file reports added
  • "Bean Data Source" removed because of security reasons
  • Option "Font Mapping" to replace fonts that are not embeddable for PDF files is enabled by default. The change will have direct impact on Font Path settings

Security Fixes

  • Critical Security Update for Help Plugin (CVE-2020-11431)
  • Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)
  • Fixed multiple XSS vulnerabilities (login was not required).
  • Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

Version 19.1

  • A restart in the server interface triggers a restart of all nodes if database persistence (MongoDb, Redis) is used
  • Event log contains a "node" column if it runs with database persistence (MongoDb, Redis)
  • Let's Encrypt certificate requests now work with multiple server and database persistence
  • Default "Font Path" for PDF export and Java viewer added. The default font path contains DejaVu fonts for Monospaced, Sans Serif and Serif fonts. Font embedding of DejaVu fonts is enabled by default
  • Prompt dialog added to Task Planner

Report Repository

  • Reimplementation of the repository search using our own search engine
  • Java report viewer removed from the list of output formats because Java applets are not supported by most current browser versions

Configuration Manager

  • Function to activate a configuration temporarily removed
  • Property "Keystore File" for signing PDF files supports URL
  • Message "Configuration not available. Please reinstall the application" was displayed sometimes while the Configuration Manager web GUI was loading the configuration
  • Error "$rootScope.model.activeCategory is undefined" occurred after server restart

Java Report Viewer

  • NullPointerException occurred if there was no default printer

Report Server

  • LDAP authentication: It was not possible to login with a user contained in an LDAP group with a group name (full Distiguished Name) longer than 100 characters

Version 17.1

  • The JAR file inetslf4j.jar was renamed into inetloggeradapter.jar. It also contains an adapter for Commons Logging
  • PDF export: JPEG images in EXIF format now supported
  • Memory improvements for images with image key
  • Date parsing order optimized to conform the modified date patterns in Java 9
  • Login Type "Internal Webserver" is also available if i-net Clear Reports is not running in an application server but if an login filter is used
  • Performance optimization for user expander formulas

Servlet

  • Servlet Spec was changed to version 3.1 and the class of the login servlet was changed to com.inet.authentication.LoginServlet

Fixed Bugs

  • Multiple issues with the Java 9 release candidate occurred
  • PDF export: Some bugs in PDF/A-1b export has been fixed
  • XLS / XLSX export:
    • Number property formulas were used although the Decimal number format was used instead of the user defined number format and the property formulas should be disabled. This could result for example in a wrong sign
    • Client timezone was ignored for date time values in the XLSX format
    • "Suppress if Duplicated" does not suppress duplicate fields in some cases
    • Percent format in XLSX format shows 0%
  • No cipher suite error with HTTPS connections occurred
  • Line height style was only used in first line of wrapped text, if Text Interpretation "HTML(advanced)" was used
  • Fix a bug with recursive table joins over multiple data sources (DS-A → DS-B → DS-A). The resulting error message was: "Report Error [1403] Error occurred while fetching data or while using data cache."
  • Unhandled Exception "java.lang.InternalError" with message "couldn't create component peer" occurred with Java 8u152
  • Clip/alignment of italic right align text with a large italic angle was wrong
  • Word breaking of Thai language in advanced HTML content was wrong. The correct behaviour requires the report locale set to be 'Thai'
  • Error "Report Error [1401] Illegal argument for DATE sproc ..." with SP parameter of type DATE occurred
  • Error "Could not create font with ID X" occurred if an OTF font was used and the property "Compress Viewer Fonts" in the Configuration Manager dialog "Font" was enabled
  • RTF export:
    • Font names in font table should be written using an East-Asian character set encoding instead of unicode
    • Content on some text boxes not displayed completely if the text box contains a lot of text
  • PDF export: Barcode font was too big
  • ArrayIndexOutOfBoundsException occurred if facename und familyname arrays have a different lenght
  • "The design of the crosstab is too large" occurred with a crosstab in a subreport
  • Currency symbol was displayed although the field was suppressed
  • If "Underlay Following Section" was enabled for a section in a subreport then it could occur that the subreport was moved to the report report page
  • If the URL used in BytesFromFile function returns an 404 error then "unknown image format" was displayed in executed report. In this case image will be shown as blank
  • Exception: "org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to org.bouncycastle.openssl.PEMKeyPair" occurred
  • Crosstab property "Suppress Row Labes" in "Group Options" does not work for more than one field in crosstab rows, if it is enabled for more than one field in crosstab rows
  • Fix problems when NofM and PageCount are used alone in a subreport and not in the main report and hard disk cache is enabled. This can lead to missing pages of the main report and the subreport will miss the output of NofM
  • Only the end of a "Can Grow" field was displayed at the 2nd appearance of the field if the field has been continued on a second page
  • If an embedded font have different font metrics as the system font with the same name and text interpretation "HTML(Advanced)" was used then the text layout could be broken
  • SVGDecoder does not work with Java 9 (or higher): ClassNotFoundException: org.w3c.dom.css.DOMImplementationCSS
  • PDF document was not displayed correctly in report
  • Decimal number format in XLSX and ODS output format was 0 instead of the correct number
  • Fonts of an PDF document embedded in sub report were missing
  • Security issue "Cross-Site Scripting" occurred
  • ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used

Repository

  • MIME type mismatch via SSL connection with strict MIME type checking for Echo2 Modules like Repository Browser

Web Interface

  • java.lang.NullPointerException occurred while opening file chooser

Security Fixes

  • Critical Security Update for Help Plugin (CVE-2020-11431)
  • Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)
  • Fixed multiple XSS vulnerabilities (login was not required).
  • Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

Version 17.0

Fixed Bugs

  • ORA-28040: No matching authentication protocol - occurred with Oracle 12c
  • The current execution of the formula "x" was aborted due to a null value
  • Directory Plugins and lib not found if UNC path was used with Java 8

Scheduler

  • NeedPromptException occurred even though no prompt was needed.

i-net Designer

Version 24.10

  • Support for Boxed Bar Chart

Version 24.4

Fixed Bugs

  • The designer could only open 2 files via drag & drop.

Version 23.4

  • The query timeout set via the Designer user interface was ignored.
  • Reports with special characters could not be opened via the repository browser in the Designer because of encoding problems.
  • Reports with special characters could not be opened via File->Reopen... because of encoding problems.
  • The following errors occurred sometimes in Remote Designer when opening a report from the repository: "No repository configuration found for file: "...rpt"" and "Not authorized. Please check your permissions and restart the Designer if applicable.".
  • The query timeout set via the Designer user interface was ignored.
  • NoClassDefFoundError: Could not initialize class com.inet.cache.internal.MemoryObserver - occurred with OpenWebStart
  • The query timeout set via the Designer user interface was ignored.

Security Fixes

  • The JNLP client could theoretically be sent another client's cookie at startup.

Version 22.10

  • The JNLP client could theoretically be sent another client's cookie at startup.

Version 21.10

  • The JNLP client could theoretically be sent another client's cookie at startup.

Report Renderer Job

Version 24.10

  • In the reporting job, the data source of the report can be overwritten if the user has the permission for data sources.

Version 22.10

  • Fixed setting the password for exporting reports as encrypted PDF files.

Sample Reports Repository

Version 24.4

  • The samples will also be added to the Drive in addition to the deprecated repository.

Version 23.10

  • Initial release of the Sample Reports Plugin
  • This plugin contains several sample reports that will be put into a newly created repository.
  • If no repository was active, the newly created one will be activated. Otherwise the repository will only be created.
  • Note that the sample reports and repository will not be removed when deactivating or uninstalling the plugin.

Server Printing

Version 24.4

  • Added Remote Printing menu to the PDF Viewer.

Version 23.4

  • Directly printing a report now requires the URL parameter printNow=1.
  • Printer tray selection is supported. For Java 17, the command line parameter --add-exports=java.desktop/sun.print=ALL-UNNAMED is required. Command line parameter can be set in the configuration application in the advanced view.

AI

Version 24.10

  • Added Gemini, Claude, and Mistral support as AI Providers.

Version 23.10

  • New Clear Reports formula function "gpt" which takes any string query as a parameter and returns the GPT response.
  • Added obfuscation to storage of OpenAI API Key in configuration.
  • HelpDesk spam filter capability (off by default) which can check incoming emails for whether GPT would categorize them as spam.
  • Anonymization of any telephone numbers and email addresses to avoid sending personally identifiable data to OpenAI.

Calendar

Version 24.10

  • For calendar triggers and series, added the placeholders calendar.event.startDatePretty and calendar.event.endDatePretty which use the server timezone to create a more readable form of the dates.

Version 24.4

Fixed Bugs

  • Setting up a calendar Task Planner trigger on repeating events that began in the past did not correctly compute the next execution time.
  • Calendar triggers with trigger times set to trigger after calendar events would not trigger for repeating events.

Version 23.4

  • Triggers can be set to start after events as opposed to only before them.
  • The calendar trigger automatically refreshes its events from the given calendar every 30 seconds.
  • Next task execution times filter out past potential execution times.

Version 22.10

  • There is a new calendar trigger that allows running Task Planner task with a time offset when an event occurs in the given ics or iCal file.

Collaboration

Version 22.10

Fixed Bugs

  • Improved the Server Status Command in regards to its CPU load calculation when the server is running on Windows.

Version 22.4

  • Added a new command serverstatus which displays server information such as version, CPU load, memory usage, and more.

Configuration

Version 21.4

Fixed Bugs

  • Unnecessary restart message occurred in the web server dialog of the configuration manager if the HTTP port was changed to not default and the HTTPS port is default

CoWork Calls

Version 24.10

  • The connections for voice and video calls have been switched from a peer network to centralized control by the CoWork server. This allows multiple participants in a call with lower bandwidth utilization of the clients.
    • Attention: The ports and the public NAT address can be configured in the configuration so that calls can be made via the server. Please adjust the settings in the firewalls if necessary.
  • The resolution and frame rate of the webcam and shared screens can be changed in the settings.
  • Update Bouncy Castle encryption library to FIPS-certified edition. FIPS certification ensures cryptographic modules meet rigorous security standards, enhancing security and trust.

Version 24.4

  • The area of an active call can be opened in a new window if this function is supported by the browser. This window can be freely positioned and resized.
  • During a call, the own participant and those with a video (camera or screen sharing) have a context menu (to be called up with the right mouse button) to control actions. This applies, for example, to switching the camera or microphone on and off. For participants with a video stream, this can be pulled out as an overlay in supported browsers. This overlay can be freely positioned and resized.

Version 23.10

  • In the user settings, it can be enabled that the own status displays a phone icon on the user's avatar when the user is involved in a call in any channel.

Version 23.4

  • In the configuration you can set whether the audio and video connections are allowed to go through the public client connections or only through configured TURN servers.

Fixed Bugs

  • The CoWork Calls WebAPI ignored the preview mode option that prevents accidental execution of destructive operations.

Version 22.10

  • Improved the automatic reconnection of calls
  • Added option to set TURN servers which are responsible for negotiating audio and video call connections
  • The overlay of a call from another channel can now be moved to another corner of the window
  • Audio output improved when switching channels: no more interruptions
  • Sounds are played when another participant joins or leaves a call or raises the hand (configurable)
  • Optionally, the entering or leaving of a participant in a call can be announced by voice ( configurable)
  • Audio and video calls are automatically reconnected when the connection to the server is restored, or the page is reloaded by mistake
  • In the channel list, the participants of a call are now listed below the channel
  • The caller view and the call overlay have been further optimized
  • The available reactions within a call can now be defined in the configuration. If all emojis are removed, this feature will also be disabled
  • Layout improvements for calls in the Safari browser
  • Speech recognition when switching with a call to another channel

Version 22.4

  • Added support for voice and video calls
  • Allow screen share of multiple screens without participating in a voice call
  • Added support for muting and leaving calls using the WebAPI

CoWork Meeting Rooms

Version 24.10

  • Meeting room administrators can remove individual members from meeting rooms. The action for this can be found in the options menu behind the user in the member list.

Version 23.4

  • The details like name, description and icon of meeting rooms can be changed by authorized users.
  • Users with the "Create Meeting Rooms" permission can add additional members to a room via the member list.

Version 22.10

  • With CoWork meeting rooms, temporary channels can be set up and external users can be invited. Many use cases such as external support, product demonstrations and the creation of temporary workgroups are possible.

DeepL

Version 24.10

  • The language of the DeepL Task Planner job can now be set via dynamic placeholder. The value should be one of the language keys, e.g. EN or DE.

Version 23.10

  • Added obfuscation to storage of DeepL API Key in configuration.

Diagnostics

Version 23.10

  • The new Web Server Errors panel displays a graph of request errors logged by the server. All web server responses with a status code of 400 or higher are logged and displayed aggregated per day.
  • In the logging panel, the list of selectable threads has been reverse sorted. The log file can thus be filtered to the last up to 100 threads.

Fixed Bugs

  • Condition for free disk space returned the wrong boolean value.

Version 23.4

  • Condition for free disk space returned the wrong boolean value.

Version 22.10

  • Added support for a memory dump when running with an OpenJ9 Java VM.
  • Condition for free disk space returned the wrong boolean value.

Version 21.10

  • Condition for free disk space returned the wrong boolean value.

Discord

Version 22.4

Fixed Bugs

  • Fixed possible error message "accountID must not be null" in Discord configuration.

Version 21.10

  • Discord plugin in category "Task Planner" will be replaced by general Discord plugin. You can find it in Plugin Store category "Communication". If the old plugin was activated, the new one will be installed automatically by the setup

Drive

Version 24.10

  • Added feature to mount external services like Google Drive, Dropbox or FTP into the servers Drive
  • Added feature to create links to folders. The links can have different permissions.
  • Structural adjustment of the internal data structure for performance optimisation
  • Added event log for drive operations

Fixed Bugs

  • Activating/deactivating plugins with file extension for Drive now updates the data for the search.

Version 24.4

  • Sub-elements of paths were not updated when the parent element was renamed to reflect the new path.

Embedded Websites

Version 23.4

  • Added separate backup and restore option for Embedded Websites.

External CoWork Message Sending

Version 23.4

  • File results of a Task Planner task are optionally sent as an attachment with the CoWork message.

Fixed Bugs

  • Added a helpful link instead of an error message in the task planner dialog in case an external server hadn't been set yet.

Field Settings

Version 24.4

  • Dropped option "Own Value" + "Multiple Values" for custom fields of type "Selectable Values", only one of both is allowed.

Version 22.10

  • Added new Data Type "Date with Time" and "Time"
  • Added option "Ignore timezone" for "Date" and "Date with Time" in order to work with local dates
  • Label and description of predefined and user-defined fields can be translated into multiple languages via the Field Settings dialog
  • Added task in maintenance which will backup all user field settings with translations and custom fields.

FTP Transfer

Version 24.10

  • Filename encoding for connections with SFTP Servers can be changed using VM argument "sftp.encoding", e.g. "-Dsftp.encoding=BIG5". Note: it is not supported in case of SFTP Server implementing SFTP version between 3 (inclusive) and 5 (inclusive).

Version 22.10

Fixed Bugs

  • When using a relative target directory with multiple file results, the target directory was not reset. This resulted in the same directory structure being created for each additional file result within the previous one.

Version 22.4

  • When using a relative target directory with multiple file results, the target directory was not reset. This resulted in the same directory structure being created for each additional file result within the previous one.

Help

Version 24.4

  • In the diagnostic application, in the System Dumps section, there is a new option to export the SBOM in JSON format.

Version 23.4

  • Support for generating a Software-Bill-of-Materials JSON file using the server's ./well-known/sbom URL with an administrative user account.

Fixed Bugs

  • Release Notes were not displayed in the HelpCenter.

Version 22.10

  • Links that require another plugin to be enabled open the Plugins Store where the required plugin can be activated or loaded.

Version 21.10

  • PDF export was not possible from a help page accessed through an untrusted HTTP URL in the browser.

HTML Engine

Version 24.4

  • Initial Release of the JWebEngine as a plugin.

HTTP

Version 24.10

  • Added options to send an additional body content instead of just the JSON field.

Version 23.10

  • Added placeholders to the HTTP trigger, that are filled by sending multiple optional "parameter" queries. that means, that you can extend the HTTP trigger URL with ?parameter=abc&parameter=def... to fill the placeholders.

Version 23.4

  • Added text area field for POST and PUT methods to allow directly sending JSON data with the request

Version 22.10

Fixed Bugs

  • Fixed access to trigger when set to be available for everyone

Version 22.4

  • Added option to add header entries to HTTP action

i-net CoWork

Version 24.10

  • In the channel list, members have an options menu that can be used to start a direct message or enter a mention in the input field. This is also possible via the context menu of a message.

Fixed Bugs

  • The admin user could not send a bot message if the user had no channel privileges. This was intended to be possible.

Version 24.4

  • If i-net CoWork runs within an i-net HelpDesk installation, a new ticket with the content of the message can be created with a menu entry at a message.
  • In the Google Chrome browser, the system's idle detection can be activated in the settings. The "Your device use" permission must then be granted in order to use the detection.

Version 23.10

  • Users can react to messages with emojis. The last five emojis are quickly accessible via the context menu.
  • The action "CoWork Online Status" of the Task Planner allows to change the status of the user by e.g. time triggers or CoWork commands.
  • Text files attached to messages get a preview with the first 10 lines. This can be expanded further to show up to 50KB of the file.
  • When pasting text into a new message, it will be added as an attachment if it is more than 4000 characters or 40 lines long.
  • Using the context menu, individual attachments of a message can be removed.
  • Horizontal lines and Markdown tables can be used in message texts.
  • The WebAPI returns reactions on messages and allows to toggle reactions for a logged in user.
  • The WebAPI returns an "Access Forbidden 403" status instead of "Access Denied 401" when a logged-in user does not have access to a team or channel.
  • The WebAPI allows to search for messages using the same syntax as the CoWork application.

Version 23.4

  • Scrolling of the messages improved
  • The user's online status is displayed at the messages and at the suggestions for mentions. Displaying the status on the individual messages can be deactivated in the settings.
  • In the menu of a message the user and the time of the message are shown.
  • It is possible to reply to messages. The user of the quoted message is automatically mentioned and gets a notification about the reply.
  • Messages, channels and users for direct messages can be found via the global search bar
  • Management of members of teams and channels has been changed:
    • Formerly public channels (with no members specified) now have the "All Users" group as a member by default.
    • Teams and channels without members are no longer accessible to all users, now they can be accessed by no one
    • Channels can now be explicitly set to inherit members from the team. Alternatively, a custom selection can be made.
    • Groups no longer need to have CoWork permission explicitly set to be set for memberships. All groups are selectable.
  • Channels support uploading of custom icons
  • Videos will be played inline in the channel.
  • The color markers used to highlight new messages in channels can be set as follows: mentions only, all messages or completely disabled.
  • Using the "Copy Text" action in the context menu, the selected text or the entire text of a message can be copied.
  • In the "Emoji" dialog of the configuration interface, custom emoji can be added via SVG.
  • An extra page with details of logged-in users and created messages has been added for the diagnostic application. Other CoWork plugins can add additional information.
  • Automatic playback of gif animations and videos can be customized in the settings.
  • Links to web pages in messages additionally generate a preview with title, description and image if the web page contains appropriate Open Graph or Twitter metatags.

Version 22.10

  • Added support for the creation of temporary meeting rooms.
  • Added support for emoji
  • Integrated idle detection with a configurable delay. Will switch from online to away when absent
  • A marker is now displayed to indicate new messages
  • CoWork reconnects to the server without reloading the whole page
  • The Task Planner trigger "CoWork Command" is able to split the parameters into single values to be referenced via placeholder in jobs and actions
  • Drafts are saved per channel and also synchronize across multiple devices
  • Links in messages can be copied via a click in the context menu
  • Smaller thumbnails are generated for images. Attachments are cached in the client for up to 30 days.
  • Improved focus handling for touch devices

Version 22.4

  • Added link to the bottom of the message list to jump to the latest message with one click
  • Changed markdown editor to better support major browsers
  • Added Task Planner trigger to add CoWork commands that will execute a Task Planner task
  • Added Task Planner action to send a message in a specific channel
  • Redesign of members list in channel
  • Images can now be opened with a click as larger preview
  • Added badge to the task bar entry when there are unread messages

ImageIO Extension

Version 22.4

Security Fixes

  • Library update to fix CVE-2021-23792.

Mail Support

Version 24.10

  • Update Bouncy Castle encryption library to FIPS-certified edition. FIPS certification ensures cryptographic modules meet rigorous security standards, enhancing security and trust.

Version 24.4

  • PGP support added including the ability to use private keys with passphrases. Incoming encrypted emails can be decrypted using the private key, and outgoing emails to addresses whose public keys we have are encrypted. Public keys included in incoming emails are automatically imported.

Version 23.10

  • Added an advanced configuration property to determine which server name is being used for the EHLO mail command. When using a private network server alongside a public mail server, it may be necessary to provide a publicly determinable server name in order to avoid higher spam score values or potential rejection of emails by the mail server.

Version 23.4

  • Support for S/MIME signature and encryption of email messages

Maintenance

Version 24.10

Fixed Bugs

  • Fixed a potential error that could occur when deleting a user in the background while the user's data was being changed at the same time.
  • Fixed a potential error that could occur when attempting to reactivate or deactivate a user which had already been deleted.

Version 23.10

  • Backups can be selected from the server, e.g. when they can not be uploaded in the web interface due to their size (>2GB).

Version 22.10

  • When changing data of multiple users at once, custom user fields which accept multiple values can now be set to multiple values instead of only one as before.
  • The User Accounts section of the Maintenance application allows to deactivate multiple users at the same time.
  • Fixed a rare error that could occur when changing data of users on custom user fields whose keys were purely numbers.

Version 22.4

  • The User Accounts section of Maintenance allows to set user data for multiple users at the same time. This can be helpful for when entire departments or groups of users have changed addresses or other information.

Version 21.10

  • Problems with backup of large files from a database persistence (MongoDB, AzureCosmosDB) occurred

Microsoft Teams

Version 24.10

  • MS Teams Webhooks can now be changed in the configuration without needing to modify Task Planner tasks which referred to them.

Version 23.4

Fixed Bugs

  • Simple line breaks were incorrectly displayed in the browser version of MS Teams.

Version 22.10

  • Improved the configuration page to link to the store if the token authentication plugin needs to be installed.
  • The task planner template "Microsoft Teams" would incorrectly insert the server's URL if it did not end on a slash.

Notifications

Version 22.10

  • The default language for notifications created in the Configuration application is English. When opening and saving existing notifications, an automatic update of the default language is made in this dialog.
  • Notifications sent to the operating system require interaction from now on if the notification is critical. This feature is available only if it is supported by the browser and the operating system.

Version 22.4

  • Added support for Web-Push notifications. A hint is displayed when the browser requests permission to show the notifications.

Version 21.10

Fixed Bugs

  • Permanent notifications must be kept in the notification center, even though they are displayed by the operating system

OAuth / OpenID Authentication

Version 24.10

  • Azure AD / Entra ID supports group names for authentication groups.

Version 24.4

  • Added Sing in with Apple as authentication provider. Note: you have to be enrolled in the Apple Developer Program to set up the authentication connection.

Version 23.10

  • For Google and Microsoft Azure login the settings from the plugin oauth.connection can be used.

Version 23.4

  • Also imports the avatar for new users when they log in to Azure.
  • Also adds a system login for Azure and ADFS users so that users can be merged with a possible LDAP import.

Fixed Bugs

  • When logging in a new OAuth user, the metadata, such as email, last name, first name, and avatar were not applied. The user was displayed only with the ID, instead of a display name.

Version 22.10

  • When logging in a new OAuth user, the metadata, such as email, last name, first name, and avatar were not applied. The user was displayed only with the ID, instead of a display name.

Version 22.4

  • Added optional tenant for Microsoft Azure authentication.

OAuth Connections

Version 22.4

  • Added support for OAuth 2.0 authentication for emails for Office 365 (modern authentication) and Gmail.

PDF Parser

Version 24.10

  • Made the plugin more versatile to be available for the reporting, PDF comparison and drive applications
  • Added PDF preview rendering for the Drive application

PDF Viewer

Version 24.4

  • Initial Release of the PDF Viewer. The viewer can be used as a rendering format, much alike the HTML Viewer.
  • The viewer is called using init=pdfviewer when requesting a report. It will only be useful in an online browser when rendering reports.
  • The viewer takes care of loading the requested report, as well as handling prompt request.
  • It should be noted, that the viewer will display reports only when they have finished rendering. The state of loading the PDF is provided from the viewer.
  • PDFs displayed in the viewer can be saved and printed, if natively supported by your modern browser.
  • Using a prompt on refresh option you can modify the prompt input when reloading a report using the menu.
  • Report files with group information will render an outline on the left side. You can select an outline entry to jump to the page and section - which is highlighted. Clicking the entry again removes the highlight from the document.
  • A separate text search is not provided by the viewer, since the browser has a much more powerful search. However, you can select and copy highlighted text from the document.

Fixed Bugs

  • Printing should work again from the PDF viewer, which previously was broken due to a CSP header issue.

Security Fixes

  • Security Update for CVE-2024-4367
    • If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Remote GUI

Version 24.10

Fixed Bugs

  • In the HTML editor, some images copied from external sources were not recognized as attachments and generated a very large text.

Version 24.4

  • If the product login is activated and users log in with the user name and password stored there, they can have a reset link sent to them in case they have forgotten their password. To do this, the user must have entered an e-mail address and e-mail dispatch must be configured on the server.
  • Some HTML editor actions in dialogs could not be used in Firefox browser.

Version 23.10

  • Fixed data buffer length for ajax and websocket requests
  • Corrected timeout handling for websocket connections with broken VPN connections

Security Fixes

  • Security Update for CVE-2023-45818
    • TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation. Users are advised to upgrade. There are no known workarounds for this vulnerability.
  • Security Update for CVE-2023-48219
    • TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Version 23.4

  • Added magnifying glass icon in the search bar to increase the visibility of the search function.
  • In the company info dialog of the configuration, it is possible to set to whom the installation hint for the application as a PWA is displayed. Guests and other special user accounts never get the hint displayed.

Version 22.10

  • The search bar has been updated to use CodeMirror for better overall keyboard support
  • Upgraded library momentjs to version 2.29.4 due to CVE-2022-24785 and CVE-2022-31129
  • Upgraded library tinymce to version 5.10.2 to include latest bugfixes

Version 22.4

  • Optimization of the connection recovery from the browser to the server

Version 21.10

  • Moved file service check to temp folder instead of working directory

Script Authentication

Version 21.10

Fixed Bugs

  • Fixes badly formatted cookies sent to the login script.

Setup Wizard

Version 24.4

  • When execution of setup is required, it displays a banner for that in all applications.

Version 23.4

  • When installing on a drive other than C:\ (Windows) then the program data directory can be changed during the setup.

Version 22.4

  • Setup now works properly when updating a single or multiple plugins via the plugin store. Duplicate executions and confusing messages will be avoided.
  • When updating the product-core plugin, Setup now updates all updateable plugins from the store.

Statistics

Version 23.4

  • The event log backup job can optionally include previously archived event entries when using a file persistence.

Version 21.10

  • Date and time values now respect the client's time zone when displayed
  • Memory for user and reports now store 20,000 entries as maximum to limit memory consumption

Store

Version 24.4

  • Up to 5 teasers are displayed at the top of the store, which are automatically rotated through.
  • The description of plugins, as well as the changelog and migration information is added to the documentation in the help.
  • Setup will no longer update plugins automatically when only a minor update of the core product (i.e. 22.4.120 to 22.4.198) was performed.

Version 23.10

  • The store now shows a link to the full changelog and migration information history in the plugin details.
  • In the plugin changelog history you can select a specific version to jump to that section.
  • In the help, when opening the release information page, there is now a dropdown to select a version from which, up until the current one, the release changes are displayed.

Security Fixes

  • Plugin sideload is disabled if permissions are not restricted in the system.

Version 22.4

  • Allow navigating through screenshots with the cursor keys. Escape key will close the preview.

Version 21.10

  • The plugin store is new and replaces the configuration of the plugins in the configuration
  • New versions and features are requested from the public plugin store and can be installed
  • On future updates, the setup will automatically update all activated plugins from the store

SVG image embedding

Version 24.4

  • Added JSVG library to render SVG files, e.g. for report files.
  • Added compatibility level option for previous version 23.10 that allows to switch back to the Batik SVG renderer.

Version 23.10

  • Updated the internal Batik libraries to version 1.16.

Version 22.10

  • Updated the internal Batik libraries to version 1.14.

System Core

Version 24.10

  • Docker Images are available for amd64 as well as arm64v8 platforms. That means that pulling an image by it's tag will automatically load a platform specific docker image.
  • Remote Recovery can also be used via HTTPS if it is configured in the server.

Version 24.4

  • The bundled Eclipse Temurin Java VM was updated to version 21.0.3.
  • Added support for Java version 22

Fixed Bugs

  • User search result entries will avoid displaying the same value in the top and bottom lines.
  • Fixes broken Digist authentication with Chrome browser.
  • Fixed a bug breaking the User Manager web interface if the country of the server is not valid.
  • Fixed a bug with searching digits and number data types which has produce the error: IllegalArgumentException: Empty left and right operand in search condition
  • Fixed a deadlock with OpenJ9 Java VM when starting the server via API.
  • Fixed embedded fonts for .NET viewer (error message: Could not create font with ID 1).
  • OAuth authentication (Azure) with Safari browser was not possible
  • Permission check for the WebAPI has not worked in connection with the default Windows Authentication
  • URL was wrong after signup with any OAuth authentication provider like Azure and if a reverse proxy (like default.aspx for IIS) was used

Security Fixes

  • Security Update for CVE-2024-30172
    • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Version 23.10

  • When searching "Date field:<date", the day of the date is no longer included in the search result.
  • Added DynamoDB persistence property TablePrefix.
  • All web server responses with a status code of 400 or higher are stored in an additional event log. They can be checked with the statistics and diagnostics plugins.
  • The order of authentication providers without settings can be changed in the Configuration Manager.
  • Added security.txt configuration option. The content of this option will be sent to clients requesting the /.well-known/security.txt file.
  • The guest account no longer has administrative permissions for security reasons, even if there are no restrictions on permissions (systempermission.enabled=false). Administrative permissions of the guest account must be explicitly activated if required (guest.full.permissions=true).
  • Does not override the system property "javax.net.ssl.trustStoreType" if already set.
  • Security Update for CVE-2023-35116
    • An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
  • Security Update for CVE-2018-1002208
    • SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
  • Security Update for CVE-2021-32840
    • SharpZipLib is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.
  • Security Update for CVE-2023-5072
    • Denial of Service in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
  • Security Update for CVE-2023-44487
    • The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
  • Security Update for CVE-2023-22102
    • Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
  • Security Update for CVE-2023-34062
    • In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.
    • Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.
  • Security Update for CVE-2024-25710
    • Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
  • Security Update for CVE-2024-22201
    • Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
  • Security Update for CVE-2023-51775
    • The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
  • Security Update for CVE-2024-30172
    • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Version 23.4

  • Eventlog entries are also written in Recovery Manager.
  • Configuration action in Login category added to reset authentication group members.
  • Security Update for CVE-2022-36033
    • jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
  • Security Update for CVE-2020-13946
    • In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
  • Security Update for CVE-2022-42003
    • In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
  • Security Update for CVE-2022-31684
    • Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
  • Security Update for CVE-2022-41946
    • pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
  • Security Update for CVE-2021-37533
    • Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
  • Security Update for CVE-2022-23494
    • tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
  • Security Update for CVE-2022-41915
    • Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop over the iterator of values.
  • Security Update for CVE-2023-22551
    • The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.
  • Security Update for CVE-2023-24998
    • Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
  • Security Update for CVE-2022-45688
    • A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
  • Security Update for CVE-2022-45688
    • Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
  • Security Update for CVE-2024-30172
    • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Version 22.10

  • Installer for macOS using Apple Silicon is available
  • The bundled Eclipse Temurin Java VM is version 17.0.6
  • Added support for DynamoDB persistence
  • Added support for the HTTP header Forward (RFC 7329) for use with reverse proxies.
  • Database Persistence accepts any configuration scope (USER or SYSTEM) and can also run as a non-root account.
  • Added option to disable the "Stay logged in" feature for all users.
  • Security Update for CVE-2020-36518
    • jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
  • Security Update for CVE-2022-24823
    • Netty is an open-source, asynchronous event-driven network application framework. The package ''io.netty:netty-codec-http'' prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own ''java.io.tmpdir'' when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
  • Security Update for CVE-2021-23792
    • The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
  • Security Update for CVE-2022-21363
    • Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
  • Security Update for CVE-2020-11023
    • In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
  • Security Update for CVE-2022-2191
    • In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
  • Security Update for CVE-2022-2047
    • In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
  • Security Update for CVE-2022-31160
    • jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling ''.checkboxradio( "refresh" )'' on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the ''label'' in a ''span''.
  • Security Update for CVE-2022-31197
    • PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the ''java.sql.ResultRow.refreshRow()'' method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. '';'', could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the ''ResultSet.refreshRow()'' method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the ''refreshRow()'' method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as ''42.2.26'' and ''42.4.1''. Users are advised to upgrade. There are no known workarounds for this issue.
  • Security Update for CVE-2022-31129
    • moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
  • Security Update for CVE-2022-36033
    • jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including ''javascript:'' URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default ''SafeList.preserveRelativeLinks'' option is enabled, HTML including ''javascript:'' URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable ''SafeList.preserveRelativeLinks'', which will rewrite input URLs as absolute URLs - ensure an appropriate [[https:*developer.mozilla.org/en-US/docs/Web/HTTP/CSP|Content Security Policy]] is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
  • Security Update for CVE-2022-42003
    • In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
  • Security Update for CVE-2022-31684
    • Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
  • Security Update for CVE-2021-37533
    • Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
  • Security Update for CVE-2022-23494
    • tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
  • Security Update for CVE-2022-41915
    • Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator) call, into a remove() call, and call add() in a loop over the iterator of values.
  • Security Update for CVE-2023-24998
    • Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Version 22.4

  • The bundled AdoptOpenJDK 17 was updated to Eclipse Temurin Java VM 17.0.4.1.
  • Two factor authentication supported.
  • Prevent side load of plugins for wrong application version.
  • It is now supported to use Web-Push notifications.
  • MeetUp has grown up, is called i-net CoWork and is now also available as a separate product.
  • Fixed a thread bug that allowed a user to run single requests in another users security context.
  • Security Update for CVE-2021-37136
    • The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack.
  • Security Update for CVE-2021-37137
    • The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
  • Security Update for CVE-2020-21913
    • International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.
  • Security Update for CVE-2021-4126
    • No information available.
  • Security Update for CVE-2021-43797
    • Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
  • Security Update for CVE-2021-41182
    • jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.
  • Security Update for CVE-2021-41183
    • jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.
  • Security Update for CVE-2021-41184
    • jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.
  • Security Update for CVE-2020-36518
    • jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
  • Security Update for CVE-2022-24785 and CVE-2022-31129
    • Upgraded library momentjs to version 2.29.4.

Version 21.10

  • The bundled AdoptOpenJDK 11 was updated to version 11.0.15
  • Java 17 supported
  • Update of old versions is now limited. If you are using an unsupported old version, an update to an intermediate version is required
  • It is allowed to create a Let's Encrypt certificate with a callback to the HTTPS port. Problems with redirect to HTTPS and if the server runs only on HTTPS are solved
  • Added QR code to the error page, linking to a help page which may have further details
  • Different ports, configured in the configuration Web Server dialog, use different HTTP sessions
  • An error message occurred during setup if redirect to HTTPS is enabled
  • The plugins dialog in the configuration of the server was replaced by the Plugin Store
  • Fixed a thread bug that allowed a user to run single requests in another users security context.
  • Security Update for CVE-2021-29425
    • In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like ''%%"//../foo", or "\..\foo"%%'', the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value
  • Security Update for CVE-2021-28165
    • In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame
  • Security Update for CVE-2021-28169
    • For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application
  • Security Update for CVE-2021-34428
    • For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
  • Security Update for CVE-2021-21409
    • Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final
  • Security Update for CVE-2021-31812
    • In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions
  • Security Update for CVE-2021-36090
    • When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package
  • Security Update for CVE-2021-35517
    • When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package
  • Security Update for CVE-2021-37714
    • jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes

Version 21.4

  • Memory management for systems with a large heap (>= 4 GB) was improved
  • The version number of plugins now consists of 3 parts
  • The plugin "Web Server Defender" added to protects against DoS and account hacking using brute force
  • The cookie attribute "SameSite" can now be set. The default value is Lax
  • Search bar and ticket views now also support an OR search with the keywords "or", "||" and "|"
  • Embedded web pages now also supports the linking (redirect) of web pages. Additional rights management based on "users and groups" memberships
  • Generic OpenID Connect (OIDC) authentication provider added
  • Azure OpenID Connect (OIDC) authentication provider added
  • Sample plugin for Custom OAuth provider added
  • Jetty version updated because of:
    • CVE-2020-27216
      • In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability
    • CVE-2020-13956
      • Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution
    • CVE-2020-27218
      • In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request
    • CVE-2020-27223
      • In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of &#8220;quality&#8221; (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values
  • *Guava version updated to 30.1 because of CVE-2020-8908**
    • A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured
  • Cron-utils updated to version 9.1.3 because of ​https://nvd.nist.gov/vuln/detail/CVE-2020-26238
  • Security Update for CVE-2020-1967
    • Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f)
  • Security Update for CVE-2021-20328
    • Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server&#8217;s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don&#8217;t use Field Level Encryption

Task Planner

Version 24.10

  • The file change trigger supports now the integration of other sources, such as the Drive plugin.
  • The Next Task trigger provides the option to pass any placeholders from the current task on to the next task along with a prefix which can be prepended to the placeholder key names.
  • Tasks in the list can now be filtered down by their name - quickly find your tasks this way.
  • When deactivating users who have tasks, a notification will be generated for administrators in the notification group "Task Planner Warning (Admin)".
  • Result actions can be moved forwards and backwards in the result action order with the options "Execute earlier/later". This is helpful for cases in which the order of these actions matters.
  • The e-mail action has an optional setting for the sender.

Version 24.4

  • The file system action has been converted into a completely new "Save file" action, which now supports the integration of other sources, such as the Drive plugin.
  • The Move Ownership page in Maintenance now supports resetting the chosen settings on the page.

Fixed Bugs

  • In rare cases, the server could hang during setup when there were many different complex tasks.

Version 23.4

  • Adds the {initiator} placeholder to the server stop trigger, which contains the display name of the user who restarted the server.
  • Tasks executed using the /api/taskplanner/execute endpoint are temporarily stored for the user, allowing them to access them later. If the tasks are not accessed again via the WebAPI within 60 seconds, they will be automatically removed.
  • In the task planner maintenance section, it was not possible to move tasks away from deactivated users.

Version 22.10

  • The parallel execution of one and the same task is now in general allowed
  • Manually starting a task while it is running is now possible
  • PUBLIC-API: To distinguish between multiple executions the TaskEvent and HistoryEntry now contains executionID, a unique ID for the execution.
  • PUBLIC-API: TaskPlanner's execute-method now return a CompletableFuture to allow more control over actions after the execution.
  • PUBLIC-API: New method cancelTaskExecution(GUID,GUID,boolean) to cancel a single running execution of a task instead of all running executions.
  • Added Low Memory Trigger to notify administrators of this critical situation.
  • PUBLIC-API: TimeTriggerFactory's generic type is now Trigger as it can return different types of trigger: TimeTrigger and TimeTriggerForCustomSettings
  • Fixed loading of large lists of tasks in the UI
  • Fixed bug endlessly showing task as running with 0% or 100% progress although there was no execution.
  • The license check of the Reporting Plus license for the Task Planning application was incorrect.
  • The option custom in time triggers works correctly.

Version 22.4

  • Placeholders are grouped if they start with the same prefix
  • Added the option custom in time triggers.
  • A maintenance module is provided for batch moving Task Planner tasks from one user to another.
  • Fixed visibility of Task Planner triggers, jobs, and actions (based on a user's permissions) to be in sync with the visibility of help sections for these triggers, jobs, and actions.

Version 21.10

  • Long running tasks were sometimes displayed as 'INCOMPLETE'
  • Correction of identical file names in the file actions for multiple identical jobs with parameter placeholders in one task.

Version 21.4

  • New Task Planner Job added to determine the free disk space in the working directory, cache and persistence directories. A threshold for minimum available disk space can be defined to trigger actions when there is not enough disk space left
  • Triggering of time-trigger interval 'Two Weeks' was in wrong week at the beginning of a new year.

Themes

Version 24.4

  • Adding 7 new themes

Version 23.4

Fixed Bugs

  • Fixed spelling mistake in "Dark Forest" theme

Version 22.10

  • Removed experimental Material Blue theme

Token Authentication

Version 23.10

Fixed Bugs

  • When accessing the server using HMAC token authentication, the system failed to log the user token's last access time.

Version 21.10

  • Added Plugin "Token Authentication".
  • Enables Web API access using access tokens. It allows users to create access token as another means of authentication into their account - but with restricted access scopes.
  • Support added for HMAC token authentication like used from MS Teams

Two-Factor Authentication

Version 24.4

  • Two-factor authentication can be deactivated for certain server IP addresses.

Version 23.10

  • 2FA emails are now sent to all stored email addresses of the user and not only to the first address.

Version 22.10

  • A second factor can be made mandatory in the login settings of the server configuration. If there is no second factor set for a user, it is required to be set up after a fresh login.

Version 22.4

  • Plugin added to support two factor authentication.

Users and Groups

Version 24.4

  • Before irrevocably deleting a user, an dynamic overview is shown of which types of data are connected to this user and will be gone if the deletion is performed.

Version 23.10

  • Added additional permission to read information from the Users and Groups Manager using the WebAPI. This allows read-only restricted access to search for users and return minimal information about them.

Version 23.4

  • Added Web API Extension for Users and Groups, that allows to search for either user or groups and display detail information about them.

Version 22.4

  • Added apply button to the edit dialog of a user or group. This allows to save the changes without closing the edit dialog.
  • The avatar of users can be changed in the users and groups application with a click on the avatar image of the selected user

Version 21.10

  • Per URL parameter s search phrases can now be passed to Users and Groups in the web interface
  • A new warning message appears when removing the last group member in a sub-group which will inherit memberships
  • In the preview it is possible to switch the view to show inherit entries for permissions, allowed actions and resources
  • Added a new label to allowed actions and permissions that tells if it is granted and if it is inherit

Waiting Queue

Version 24.10

  • With the new CoWork function "Waiting queue", members can submit consultation requests to other users by drawing a waiting number. The requests can be viewed and managed in a separate dialog.

Web API

Version 22.10

  • Opened up the WebAPI UI to be available for public requests, such as the Task Planners HTTP trigger, allowing to run the trigger from the browser.
  • Added input field for the current URL, restricting editing to variable parts that require IDs
  • Added JSON area to send custom JSON to a request URL
  • Added selection for HTTP method and send key to re-submit the request
  • Added ability to remember ID-token in the current web API session and automatically fill them until page is refreshed

Version 21.10

  • Update of the permission handling to determine if a user has access to API endpoints

Web Server

Version 24.10

  • Update Bouncy Castle encryption library to FIPS-certified edition. FIPS certification ensures cryptographic modules meet rigorous security standards, enhancing security and trust.

Version 23.10

  • Added option the security section of the webserver configuration to control embedding the application using X-Frame-Options.

Version 23.4

Security Fixes

  • Security Update for CVE-2023-44487
    • The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Version 22.10

  • Added placeholders for start and expiration date of the HTTPS certificate that is currently being used. The placeholders can then be used in Task Planner actions.
  • Changed Jetty server from version 9.4.x to 10.0.x.
  • Added support for HTTP/2 protocol.
  • Allowed Cross Origins is now called Allowed Origins
  • If Allowed Origins is set, it will send CORS headers that also include the external visible URL.
    • The server now checks that it is addressed using any of the given values from either the external visible URL or the Alowed Origins
    • The server checks HTTP/s as well as WS/s connections

Version 22.4

  • An optional web context of the web server can be set if the server should not run in the root context.

Windows Authentication

Version 24.4

  • Support for the Negotiate authentication protocol has been added. This means that Kerberos login is supported.
i-net Clear Reports
This application uses cookies to allow login. By continuing to use this application, you agree to the use of cookies.


Help