Greetings to the community!
An update of version 3.6.10 is now available, eFront 3.6.10 build 12151. This is an important maintenance release, including several security and functional updates. All users of efront are strongly recommended to update to this revision.
This version also introduces the security module, which runs self-checks on the system and lists posts from our security blog. New installation will have this activated automatically. If you are upgrading, you are recommended to activate the module from the "Modules" list.
=== Version 3.6.10 build 12151 ===
- Added visible option functionality in custom user profile fields
- Added ability to import users with subtypes via csv imports.
- Added "security module"
- Replaced decimal point and thousand separator with locale equivalents
- Security update: Fixed editor's "save template" not checking validity of inputted parameter (Reported by EgiX)
- Security update: Fixed unsafe file upload using capitalized extensions (Reported by EgiX)
- Security update: Fixed potential XSS attacks using unsafe GET parameters (Reported by Canberk Bolat of Mavituna Security and High-Tech Bridge SA Security Research Lab)
- Security update: Fixed possible sql injection attacks in multiple files (Reported by EgiX, Vulnerability Research Laboratory and High-Tech Bridge SA Security Research Lab)
- Security update: Fixed potential privilege escalation using cookies (Reported by EgiX)
- Security update: Fixed cookie information leaking using XSS (Reported by Semyon Perepelitsa)
- Security update: Fixed arbitrary file download issue (Reported by EgiX)
- Fixed "branchinfo" and "groupinfo" fields not appearing in user profile fields (Enterprise/Educational editions)
- Fixed issue about content tree management order
- Fixed issue about assigning users to branches page when filter was used (#1819)
- Fixed clearDuplicates for questions when copying questions from another lesson (#1812)
- Fixed drag and drop questions about background color issue with Chrome (#1831)
- Fixed improper handling of file black list during file upload
- Fixed tracking initialization about feedbacks
- Fixed feedback preview
- Fixed lesson timelines not listing events
- Fixed issue in forum page about pagination and subforums
- Fixed getSystemLogo function and an issue with site logo loading
- Fixed issue in reports generator about enrolling to lesson/course/group
- Fixed rounding error when submitting paypal price and using coupon