5.8.9
- April 28, 2022
Security
- Updated users account settings to require password confirmation to change email (CVE-2022-29270) (Thanks Alwin Warringa) -JO
- Updated admin account settings to require password confirmation to change password and email (CVE-2022-29270) (Thanks Alwin Warringa) -JO
- Fixed stored XSS security issue in Nagios BPI with the info URL not being escaped properly -JO
- Fixed stored XSS security issue with command names having no encoding in the apply config error text -JO
- Fixed stored XSS related to update checking -SAW
- Fixed redirect on login page where redirect parameter urls could redirect user externally after login (CVE-2022-29272) (Thanks Alwin Warringa) -JO
- Fixed scheduled report/send report email script allowing HTML code to be used in the message field (CVE-2022-29269) (Thanks Alwin Warringa) -JO
- Fixed scheduled downtime page allowing read-only users to submit downtimes via crafted POST requests (CVE-2022-29271) (Thanks Alwin Warringa) -JO
Updated
- Updated automysqlbackup script to default root mysql password if none is set [TPS#15739] -JO
Added
- Added peer verification when loading external URLs -SAW
Fixed
- Fixed issue in 5.8.0 upgrade for Debian and Ubuntu users -SAW
Component Updates
Core Config Manager (CCM) 3.1.7
- Fixed copying of service object not copying excludes for Host/Hostgroups [TPS#15732] -JO
- Fixed reflected XSS security issue in lock page Cancel button not urlencoding the returnurl value -JO
- Properly fixed XSS security issue in search input on audit log page (thanks Hieu Tran(jkana101) from VCB STeam)) -JO