v8.19
This release fixes the following CRITICAL SECURITY ISSUES of Megableed:
- Security Fix 1: IDOR in setCreateTranslation. Non-admin could change Custom Translation.
Thanks to Joshua Rogers of Aisle Research and xet7. - Security Fix 2: Private-only board setting can be bypassed.
Thanks to Joshua Rogers of Aisle Research and xet7. - Security Fix 3: Card comment author spoofing (IDOR) via API.
Thanks to Joshua Rogers of Aisle Research and xet7. - Security Fix 4: Cross-board card move without destination authorization.
Thanks to Joshua Rogers of Aisle Research and xet7. - Security Fix 5: Read-only roles can still update cards.
Thanks to Joshua Rogers of Aisle Research and xet7. - Security Fix 6: Checklist delete IDOR: checklist not verified against board/card.
Thanks to Joshua Rogers of Aisle Research and xet7. - Security Fix 7: Checklist create IDOR: cardId not verified against boardId.
Thanks to Joshua Rogers of Aisle Research and xet7. - Security Fix 8: Attachments publication leaks metadata without auth.
Thanks to Joshua Rogers of Aisle Research and xet7. - Security Fix 9: Attachment upload not scoped to card/board relationship.
Thanks to Joshua Rogers of Aisle Research and xet7. - Security Fix 10: LDAP filter injection in LDAP auth.
Thanks to Joshua Rogers of Aisle Research and xet7.
and adds the following new features:
- Opened card Checklist menu: Hide finished tasks. Show Checklist at Minicard.
Thanks to C0rn3j and xet7.
and adds the following updates:
- Helm Chart: Updated MongoDB to 7.0.28 at artifacthub.io.
Thanks to xet7 and titver968.
and fixes the following bugs:
- Re-add JS closing class to unicode close announcement symbol.
Thanks to Chostakovitch. - Cannot re-arrange lists within swimlanes.
Thanks to Chostakovitch. - Converted Gantt from js to Jade, and made card title to render markdown at Gantt view.
Part 1,
Part 2.
Thanks to xet7. - Fix find.sh work with spaces, for example: ./find.sh "Some text".
Thanks to xet7. - Fix copy move card at board and MultiSelect to have numbered target of board, card above or below. Added MultiSelect change color.
Thanks to mimZD and xet7. - Fix move card last selection is gone.
Thanks to mimZD and xet7. - Fix Unable to delete Checklist. Added confirm delete to Checklist and Chekclist Item.
Thanks to C0rn3j and xet7.
Thanks to above GitHub users for their contributions and translators for their translations.