Improvements & New Features
- Added new PDF report in expenses page.
- Added new functionality : Mail Templates and scheduled jobs
Security Updates
- Fixed an Insecure Direct Object Reference (IDOR) vulnerability that allowed authenticated users to create or modify listings under unauthorized accounts.
- Fixed a Stored Cross-Site Scripting (XSS) vulnerability where the name parameter of a listing could execute malicious scripts when rendered in the calendar view.
- Fixed a Host Header Poisoning vulnerability that allowed crafted Host headers to manipulate redirects, potentially enabling phishing attacks via malicious domains.
- Fixed a Slowloris Denial-of-Service (DoS) attack vulnerability targeting Nginx, which could cause server resource exhaustion and lead to service outages by keeping connections open indefinitely.
- Fixed an information disclosure issue where server version details were included in HTTP response headers, reducing exposure to targeted reconnaissance and exploitation attempts.
- Fixed missing security flags on authentication cookies to prevent theft via client-side scripts and mitigate cross-site request forgery (CSRF) risks.
Bug Fixes
- Fixed booking update bug based on support ticket b328375
- Fixed guest update bug based on support ticket b82387
- Fixed new listing dashboard bug b2838
Security Research Credit:
- Alexandros Perrakis (Stolichnayer) for identifying and responsibly disclosing the vulnerabilities.