Blog

Release announcements, helpful tips, and community discussion

10.4.10

Cerb (10.4.10) is a maintenance update released on April 08, 2024. It includes 23 minor features and fixes from community feedback covering the 10.4 update. You can follow these instructions to upgrade.

Changelog

Changed

  • [Automations/Commands] In automations using api.command:, the cerb.commands.oauth2.token.validate command now returns an OAuth token’s granted scopes. This can be used to check permissions in custom APIs.

  • [Toolbars/Autocompletion/UX] In toolbar editors, added autocompletion for menu:icon:.

  • [Worklists/Logging] When calling the pages/renderWorklist endpoint, the worklist record ID is now included in the ?log= query parameter. This helps with tracing web requests.

  • [Sheets/Links/UX] In sheets, link: column icons are now also clickable. This allows a column with only icons. Previously, only the label text was clickable. Thanks to @mryanb for the feature request.

  • [Extras/Impex] The cerb-package-exporter.php reference can optionally exclude time tracking entries on tickets.

  • [Extras/Impex] The cerb-package-exporter.php reference now exports the ticket.reopen_date field by default.

  • [Extras/Impex] The cerb-package-exporter.php reference now exports the is_pinned and is_markdown fields on comment records.

  • [Extras/Impex] The cerb-package-exporter.php reference now exports threaded comments.

Fixed

  • [Support Center/PHP8] Fixed some PHP 8.2+ deprecation warnings in the Support Center portal.

  • [Support Center/Account] In the Support Center portal, fixed an issue when changing the current account’s password. It wasn’t possible to change the password a second time without logging out and back in again.

  • [Support Center/Knowledgebase] Fixed an issue with re-parenting knowledgebase categories. The new category tree wasn’t reflected in the Support Center until all articles were re-saved.

  • [Log/Comments] Fixed an issue in the activity log where comments were logged and triggering notifications even when disable_events: was enabled (e.g. packages, automations).

  • [Automations/Comments/Log] Fixed an issue in the activity log. Creating comment records from an automation could misattribute the logged actor. This now always uses the comment author from the record.

Security

  • [Security/Dependencies] Updated the phpseclib dependency to v30.0.36 in response to an upstream vulnerability disclosure.

  • [Support Center/Security] In the Support Center portal, a minimum password length of 8 is now enforced.

  • [Support Center/Security] In the Support Center portal, it’s now possible to disable new account registration. This improves security in environments where registration is invite-only.

  • [Support Center/Security] In the Support Center portal, it’s now possible to disable account recovery (i.e. forgot password).

  • [Support Center/Security] Increased the complexity of CAPTCHA image challenges in the Support Center portal. Characters are individually positioned, rotated, scaled, and colorized. The background color and image dimensions are randomized.

  • [Support Center/Security] In the Support Center portal, a CAPTCHA image challenge is now required when requesting an account registration conformation code by email. This increases the complexity of abuse (e.g. automated account creation, backscatter, spam).

  • [Support Center/Security] In the Support Center portal, a CAPTCHA image challenge is now required when requesting an account recovery code by email (i.e. forgot password). This increases the complexity of abuse (e.g. brute force, backscatter, spam).

  • [Support Center/Security] In the Support Center portal, an email address cannot be used to register a new account when a confirmation code was previously requested within the past 30 minutes. Previously, it was possible for an attacker to maliciously spam confirmation codes and potentially negatively affect the SMTP reputation of the mail server.

  • [Support Center/Security] In the Support Center portal, during account recovery, an email address cannot be sent a confirmation code if one was previously requested within the past 60 minutes. Previously, it was possible for an attacker to maliciously spam confirmation codes and potentially negatively affect the SMTP reputation of the mail server.

  • [Support Center/Security] In the Support Center, fixed an issue where some non-validation error messages could be displayed to the user. This could potentially be abused to leak information, but there is no evidence it was directly exploitable.