Security and authentication improvements
The following improvements regarding security and authentication have been made.
Check real content type for attachments (#667771)
A new server‑side validation checks the actual file signature (magic bytes) of every attachment uploaded via the Web Client, CM/Track, or the API in case of incoming emails and webhooks. Files whose content does not match the declared extension or MIME type are automatically rejected, preventing the upload of executable or other forbidden files via content‑type spoofing.
If valid attachments are rejected because their extension does not match the detected MIME type, you can add the mapping to the system property cmas‑core‑server, attachment.type.hints, which allows mapping one extension to multiple allowed MIME types.
Extension segments which do not contain any letter are ignored, i.e. the file server.log.1 is checked against the log extension.
Global logout on password change (#667772)
When a user changes their password, all other active sessions for that account are now terminated immediately. Any attempt to continue using those sessions will require a full login with the new credentials. The message shown after the automatic logout has been adjusted to clarify that the logout can have happened either due to a session timeout or a password change.
Third-party library changes
The following third-party libraries have been updated or replaced in this ConSol CM version:
- axios (#668402, #668567): Updated to version 1.16.1
- bcpkix-jdk18on (#668580): Updated to version 1.81.1
- commons-fileupload2-core (#668464): Updated to version 2.0.0-M5
- dompurify (#667888): Updated to version 3.4.1
- doxia-module-markdown (#668000): Updated to version 2.1.0
- follow-redirects (#667888): Updated to version 1.16.0
- formio (#667888): Updated to version 5.3.5
- froala (#667888, #667915): Updated to version 5.0.1
- highcharts (#667600): Updated to version 12.5.0
- immutable (#667824, #667888, #667908): Updated to version 3.8.3 and 5.1.5
- lodash (#667908): Updated to version 4.18.1
- log4j-api (#668143, #668234): Updated to version 2.25.4
- micrometer (#668681): Updated to version 1.15.12
- netty (#668648, 668649, #668650, #668651): Updated to version 4.1.135
- opennlp-tools (#668000): Updated to version 2.5.9
- pdfbox (#668000): Updated to version 3.0.7
- postcss (#667908): Updated to version 8.5.10
- postgresql (#668000, #668081, #668084): Updated to version 42.7.11
- react-intl (#667888): Updates to version 10.1.1
- react-router-dom (#668402): Updated to version 6.30.3
- reactor-netty-http (#668681): Updated to version 1.2.18
- rhino (#668375): Updated to version 1.7.14.1
- sanitize-html (#668581): Updated to version 2.17.4
- spring (#668681): Updated to version 6.2.19
- spring-ai-bom (#668681): Updated to version 1.0.8
- spring boot (#668648, #668649, #668679, #668680, #668683): Updated to version 3.5.15
- spring-ldap-core (#668681): Updated to version 3.3.8
- spring security (#668681): Updated to version 6.5.11
- spring-retry (#668681): Updated to version 2.0.13
- tomcat (#667999, #668234, #668402, #668457): Updated to version 10.1.55
- typescript (#667888): Updated to version 6.0.2
- uuid (#667888, #667908): Updated to version 14.0.0
- vis.js (#667600): Replaced by
vis-networkin version 10.0.2 - vite (#668402): Updated to version 6.4.2
- vitejs/plugin-react-swc (#668402): Updated to version 3.11.0
- vite-plugin-svgr (#668402): Updated to version 5.2.0
- wicket (#668000): Updated to version 10.9.0
- ws (#667888): Updated to version 8.21.0
- yaml (#667908): Updated to version 1.10.3
The Highcharts library update comprises a major version jump (7 → 12) which can contain breaking changes, see https://www.highcharts.com/changelog/. Please review your widget or visualization scripts for charts.
The users need to update CM/Doc for this change to become effective.