Release announcements, helpful tips, and community discussion


Cerb (7.0.4) is a maintenance update released on August 17, 2015; it contains 8 improvements from community feedback covering the 7.0 update. You can follow these instructions to upgrade.

  • [CHD-4155] [Mail/HTML/Usability] When displaying HTML messages on tickets, external links will now be displayed in a new browser tab/window. Previously, these were replacing the current page in Cerb unless the worker knew to hold CTRL/CMD when clicking the link.

  • [CHD-4145] [Virtual Attendants/Mail] The ‘Send email’ action in Virtual Attendants can now override the ‘From:’ and ‘Subject:’ headers. This allows VAs to spoof sender addresses if the SMTP transport allows it, which enables behaviors like automatically forwarding/reflecting messages to a different destination.

  • [CHD-4171] [Sessions/Activity Log] When the seat count is reached and a worker is logged out, the event will be recorded in their activity log for later auditing.

  • [Code Cleanup] Fixed a PHP Notice regarding a ‘conntinue’ typo.

  • [CHD-4161] [Virtual Attendants/Headers/Usability] When using ‘Message headers’ conditions in Virtual Attendant behaviors, the header name may now be given with or without a trailing colon. Previously, if the header name was followed by a colon the condition always failed.

  • [CHD-4173] [Worklists/Customize/Options] When customizing a worklist, fixed a namespace issue with two different sections using the ‘options’ field name. For instance, if a picklist custom field was being displayed in ‘Add filter’, then the view options (e.g. hide watchers/recommendations/sorting) didn’t save properly.

  • [CHD-4180] [Mail/Groups] Fixed an issue when sending mail where the ‘From:’ personal name didn’t cascade properly. If the bucket and group’s default bucket lacked a personal sender name, the default bucket’s reply-to wasn’t being checked before the global default reply-to was used.

  • [Security/CSRF] Fixed a medium risk CSRF (cross-site request forgery) vulnerability reported by High-Tech Bridge (HTB23269). We don’t have any evidence of this having taken place in the wild, but we were able to reproduce the results with the proof-of-concept in the advisory. A logged in worker could be tricked into visiting a URL that could perform certain actions in their browser session. Cerb now uses the Synchronizer pattern: a session-based token included with every HTML FORM and Ajax request that is compared to the active session. This verifies that such requests are coming from an existing Cerb page rather than an external source. When a potential CSRF attack is detected, the event is now logged in the PHP log as a warning.