Release notes: 2020-10-15

Security updates and fixes

  • Restricted profile pictures to PNGs, JPGs, and JPEGs to prevent uploading malicious files.

  • Prevented unverified users from viewing and updating profile pictures.

  • Implemented validation for user input and proper output encoding for the "Forgot your password" link to prevent cross-site scripting (XSS) attacks.

  • Encoded HTML elements in user data to prevent HTML injections.

  • Prevented arbitrary URL redirection when generating a PDF assessment report.

  • Added new functions to prevent cross-site request forgery.

  • Prevented sensitive information from being included in URLS.

  • Implemented a check for 2FA requirements before fully authenticating the session to prevent 2FA bypasses.

  • Fixed an issue with manuals where users could only view manuals they had created.