Again we received an email from the CYBSEC S.A company that they discovered 2 vulnerabilities in Achievo 1.4.4 and below. The first one was an authorization flaw in the Time registration module, that made it possible to delete/add records of other users. The second one was a CSRF in ATK how it handles the validation of the actions. Both problems are fixed in Achievo 1.4.5.

For a full list of resolved issues, you can visit: http://www.achievo.org/download/releasenotes/1_4_5.

Sandy

Yesterday we received an email from Stefan Esser which was testing Achievo for the Month Of PHP Security. During the SQL Injection marathon he found one in the script that generates the project graphs. This security bugfix release will fix this issue.

For a full list of resolved issues, you can visit: http://www.achievo.org/download/releasenotes/1_4_4.

Sandy

Today we received an email from the CYBSEC S.A company that they discovered 2 vulnerabilities in Achievo 1.4.2 and below. The first one was about an XSS that people could enter javascript in a scheduler category. And the second one was about the document manager. This module didn't check the files that where upload which made it possible to upload php files for example. Therefore we updated the document manager and added a new config (docmanager_allowedfiletypes) for it in /configs/docmanager.php.inc. With this config you can tell the docmanager what type of files a user can upload. Both problems are now fixed in Achievo 1.4.3 this means that we have a new release 6 hours after they where reported, which is a new record

For a full list of resolved issues, you can visit: http://www.achievo.org/download/releasenotes/1_4_3.

Sandy

I'm pleased to announce the immediate availability of the 1.4.2 release. This release is the second maintenance release in the 1.4 series, and includes 2 bugfixes, a language update and a new config for turning on the ages in the scheduler birthday view. Many thanks to all the contributors who helped with this release, including translators and reporters.

For a full list of resolved issues, you can visit: http://www.achievo.org/download/releasenotes/1_4_2.

Sandy

I'm pleased to announce the immediate availability of the 1.4.1 release. This release is the first maintenance release in the 1.4 series, and includes 5 bugfixes and 2 language updates. Many thanks to all the contributors who helped with this release, including translators and reporters.

For a full list of resolved issues, you can visit: http://www.achievo.org/download/releasenotes/1_4_1.

Sandy