10.4.10
Cerb (10.4.10) is a maintenance update released on April 08, 2024. It includes 23 minor features and fixes from community feedback covering the 10.4 update. You can follow these instructions to upgrade.
Changelog
Changed
-
[Automations/Commands] In automations using
api.command:
, thecerb.commands.oauth2.token.validate
command now returns an OAuth token’s granted scopes. This can be used to check permissions in custom APIs. -
[Toolbars/Autocompletion/UX] In toolbar editors, added autocompletion for
menu:icon:
. -
[Worklists/Logging] When calling the
pages/renderWorklist
endpoint, the worklist record ID is now included in the?log=
query parameter. This helps with tracing web requests. -
[Sheets/Links/UX] In sheets,
link:
column icons are now also clickable. This allows a column with only icons. Previously, only the label text was clickable. Thanks to @mryanb for the feature request. -
[Extras/Impex] The
cerb-package-exporter.php
reference can optionally exclude time tracking entries on tickets. -
[Extras/Impex] The
cerb-package-exporter.php
reference now exports theticket.reopen_date
field by default. -
[Extras/Impex] The
cerb-package-exporter.php
reference now exports theis_pinned
andis_markdown
fields on comment records. -
[Extras/Impex] The
cerb-package-exporter.php
reference now exports threaded comments.
Fixed
-
[Support Center/PHP8] Fixed some PHP 8.2+ deprecation warnings in the Support Center portal.
-
[Support Center/Account] In the Support Center portal, fixed an issue when changing the current account’s password. It wasn’t possible to change the password a second time without logging out and back in again.
-
[Support Center/Knowledgebase] Fixed an issue with re-parenting knowledgebase categories. The new category tree wasn’t reflected in the Support Center until all articles were re-saved.
-
[Log/Comments] Fixed an issue in the activity log where comments were logged and triggering notifications even when
disable_events:
was enabled (e.g. packages, automations). -
[Automations/Comments/Log] Fixed an issue in the activity log. Creating comment records from an automation could misattribute the logged actor. This now always uses the comment author from the record.
Security
-
[Security/Dependencies] Updated the phpseclib dependency to v30.0.36 in response to an upstream vulnerability disclosure.
-
[Support Center/Security] In the Support Center portal, a minimum password length of 8 is now enforced.
-
[Support Center/Security] In the Support Center portal, it’s now possible to disable new account registration. This improves security in environments where registration is invite-only.
-
[Support Center/Security] In the Support Center portal, it’s now possible to disable account recovery (i.e. forgot password).
-
[Support Center/Security] Increased the complexity of CAPTCHA image challenges in the Support Center portal. Characters are individually positioned, rotated, scaled, and colorized. The background color and image dimensions are randomized.
-
[Support Center/Security] In the Support Center portal, a CAPTCHA image challenge is now required when requesting an account registration conformation code by email. This increases the complexity of abuse (e.g. automated account creation, backscatter, spam).
-
[Support Center/Security] In the Support Center portal, a CAPTCHA image challenge is now required when requesting an account recovery code by email (i.e. forgot password). This increases the complexity of abuse (e.g. brute force, backscatter, spam).
-
[Support Center/Security] In the Support Center portal, an email address cannot be used to register a new account when a confirmation code was previously requested within the past 30 minutes. Previously, it was possible for an attacker to maliciously spam confirmation codes and potentially negatively affect the SMTP reputation of the mail server.
-
[Support Center/Security] In the Support Center portal, during account recovery, an email address cannot be sent a confirmation code if one was previously requested within the past 60 minutes. Previously, it was possible for an attacker to maliciously spam confirmation codes and potentially negatively affect the SMTP reputation of the mail server.
-
[Support Center/Security] In the Support Center, fixed an issue where some non-validation error messages could be displayed to the user. This could potentially be abused to leak information, but there is no evidence it was directly exploitable.