3.1.2
What's Changed
- Fix copy password log. by @corentin-soriano in #4293
- Add css/js script version to avoid cache issues on upgrade. by @corentin-soriano in #4286
- Avoid bypass maximum_session_expiration_time parameter. by @corentin-soriano in #4285
- Trim values to avoid break json. by @corentin-soriano in #4282
- BUGFIX - Cast all fields on API createUserJWT function call. by @corentin-soriano in #4280
- Sanitize import priv/pub keys field. by @corentin-soriano in #4268
- BUGFIX - Improve folder permissions. by @corentin-soriano in #4262
- BUGFIX - Fix user personnal folder creation. by @corentin-soriano in #4257
- Fix for broken JSON response when ldap group id is binary by @simonpoess in #4185
- SEC - Remove generateBugReport for non admin users by @corentin-soriano in #4206
- Remove space in .scrutinizer.yml filename by @rokx in #4220
- BUGFIX - Add short timeout to fsocksopen and use host/port of duo API. by @corentin-soriano in #4222
- BUGFIX - Fix blank pages. by @corentin-soriano in #4223
- BUGFIX - Fix multiple issues on login page by @corentin-soriano in #4228
- BUGFIX - Correct issues in delete items in list by @corentin-soriano in #4230
- BUGFIX - Avoid break tp.config.php file with single quote in parameter value. by @corentin-soriano in #4231
- BUGFIX - Redirect on item view after authentication if an unauthenticated user opened direct link. by @corentin-soriano in #4234
- Add username, mail and url next to description in item view. by @corentin-soriano in #4235
- SEC - Correct LFI. by @corentin-soriano in #4236
- SEC - Use session user id instead of user input to download or reset user keys by @corentin-soriano in #4237
- SEC - Correct multiple XSS by @corentin-soriano in #4238
- SEC - Correct bypass upload filters vulnerability. by @corentin-soriano in #4239
- SEC - Correct wrong access control by @corentin-soriano in #4240
- BUGFIX - Don't close item view when using copy item link. by @corentin-soriano in #4254
- BUGFIX - Correct email formatting by @corentin-soriano in #4255
- BUGFIX - Upgrade process improvement and speedup by @corentin-soriano in #4256
- UI - Improve items page UX to see tree/items list and items details simultaneously. by @corentin-soriano in #4273
- BUGFIX - Fixing email content wrongly escaped and broken on mail client by @lucasfoussier in #4304
- BUGFIX - Escaping email inner content only when necessary by @lucasfoussier in #4309
- Sanitize import priv/pub keys field. by @corentin-soriano in #4321
- Delete by id instead of key to gain reliability. by @corentin-soriano in #4322
- Highlight selected/favorites items and reverse default limited-search value by @corentin-soriano in #4325
- Automatically detect ldap password change by @corentin-soriano in #4323
- Update oauth.php by @kcbieng in #4329
- Update AzureAuthController.php and ActiveDirectoryExtra.php by @kcbieng in #4327
- Completes the implementation of the nb_items_by_query parameter. by @corentin-soriano in #4330
- Fix error with wrong variable name on item creation. by @corentin-soriano in #4333
- Fix issues on folders. by @corentin-soriano in #4334
- Add support of generic OAuth2 provider in addition to MS Azure, auto-login and fix security issue. by @corentin-soriano in #4332
- Fix cache error on folder creation. by @corentin-soriano in #4335
- Add strong default password length for generation. by @corentin-soriano in #4336
- Fix favorites remove issue. by @corentin-soriano in #4338
- Auto select jstree folder on path elems click. by @corentin-soriano in #4339
- Fix copy password with html encoding. by @corentin-soriano in #4340
- Revert unresolved merge conflict from c79627e and unused install1 folder by @corentin-soriano in #4347
- Completes the implementation of the encryptClientServer parameter . by @corentin-soriano in #4337
- Speedup keepass import by adding batch processing and sql transactions. by @corentin-soriano in #4342
- Speedup copy/delete folder and copy item actions. by @corentin-soriano in #4343
- Revert from 9a57084 by @corentin-soriano in #4348
- Fix invisible new created folder in personal space and avoid double jstree selection on creation. by @corentin-soriano in #4344
- Add access grant check on backend side. by @corentin-soriano in #4346
- Add support of PWA (full screen app) with Window Controls Overlay. by @corentin-soriano in #4277
- Remove tp config by @nilsteampassnet in #4349
- Speedup populateItemsTable_CreatedAt execution. by @corentin-soriano in #4353
- Fix for local accounts when oauth2 is disabled. by @corentin-soriano in #4354
- Add setting for build_cache_tree task batch. by @corentin-soriano in #4355
- Vulnerability log injection by @nilsteampassnet in #4359
- Fix pwd issues by @corentin-soriano in #4360
- Vulnerability creating admin user with a normal account by @nilsteampassnet in #4363
- Fixing a vulnerability where a standard user could disable any user by @nilsteampassnet in #4367
- Hide duo secret key. by @corentin-soriano in #4369
- Fixing vulnerability with clear password in email log by @nilsteampassnet in #4371
- Replace tp.config.php by ConfigManager and remove obsoletes functions. by @corentin-soriano in #4372
- Vulnerability using API authorization with SQL Injection by @nilsteampassnet in #4373
- Profile fixes by @evertton in #4377
- Fix config issues. by @corentin-soriano in #4385
- Fix search input background color #4374 by @corentin-soriano in #4384
- Fix users encoding #4316 by @corentin-soriano in #4383
- Code review fixes by @nilsteampassnet in #4379
- Fix for encryptClientServer input field by @nilsteampassnet in #4387
- Add minor version on static scripts. by @corentin-soriano in #4389
- Fix issue with PWA on subpaths. by @corentin-soriano in #4390
- Add email field to admin account setup #4382 by @evertton in #4388
- Fix SQL injection on store_user_changes. by @corentin-soriano in #4395
- Fix user confidential infos leak. by @corentin-soriano in #4394
- Fix applicative privilege escalation. by @corentin-soriano in #4397
- Vulnerability during install by @nilsteampassnet in #4392
- Fix settings last modification. by @corentin-soriano in #4393
Vulnerabilities fixed
- SQL Injection (Pre-Authentication) - CVE-2024-48269
- Code Injection - CVE-2024-53511
- Password in Cleartext on Client Side - CVE-2024-48266
- Stored Cross-Site Scripting (XSS) - CVE-2024-48265
- Broken Access Control - Log Injection - CVE-2024-48268
- Broken Access Control - Admin User Creation (Privesc) - CVE-2024-53512
- Broken Access Control - Arbitrary User Disabling - CVE-2024-48262
- Password in Cleartext in Database - CVE-2024-53510
New Contributors
- @corentin-soriano made their first contribution in #4293
- @simonpoess made their first contribution in #4185
- @rokx made their first contribution in #4220
- @lucasfoussier made their first contribution in #4304
- @kcbieng made their first contribution in #4329
- @evertton made their first contribution in #4377
Full Changelog: 3.1.1...3.1.2
Important
- Requires at least
PHP 8.1 - New password library implemented, read about impacts
Languages
Please join Teampass v3 translation project on Poeditor and translate it for your language.
Installation
Follow instructions from Documentation.
Upgrade
Follow instructions from Documentation.
Ideas and comments
Are welcome ... please use Discussions.
Contributors
nilsteampassnet, evertton, and 5 other contributors