### Critical Vulnerability Information #### 2024R2.1 - 03/26/2025 - **Fixed**: - Fixed a security vulnerability while removing an AD/LDAP certificate (Thanks to Haiyu Li, Shifei Zhao, mro22, rjy, Kingzhen Chen, Ru Tan, and Qiu Liu for reporting this) [GL NA#87] - SG - Fixed several broken access control vulnerabilities (Thanks to Harmandeep Tandharu and Aakash Tayal for reporting these) [GL NA#88] - SG - Fixed a replay attack vulnerability by storing session data in MySQL [GL NA#82] - SG #### 2024R2.0 - 01/21/2025 - **Fixed**: - Fixed an issue where adding a new NMS server with a self-signed certificate would fail [GL NA#73] - SG - Fixed an issue where this was not being escalated correctly - SG - Fixed an issue with translations causing elements to not display correctly [GL NA#73] - SG - Fixed an issue where the "New Check" model did not save configuration changes [GL NA#73] - SG - Fixed issues with page navigation and validation in the "New Check" model [GL NA#80] - SG #### 2024R1.3 - 07/27/2024 - **Fixed**: - Fixed an issue where the graph would fail to show in Dashboard > Sources if hostname resolution was enabled [GL NA#69] - SAW - Editing, canceling, and clicking the "New Check" button will no longer cause you to reselect the previously selected check [GL NA#64] - SAW - Fixed an issue where the "New Check" model would not save configuration changes to the alarm state valid data [GL NA#66] - SAW #### 2024R1.1 - 01/09/2024 - **Added**: - Updated traceroute agent to use NCPA 3.0.0 - SAW - Improved speed of host resolve when using DNS - SAW - Added an option to prevent dragging the background which would cause the route view to be offset [GL NA#56] - SAW - Fixed an issue where deleting a view which was associated to some sources (but not all) from a source's View Management would cause the source to be deleted as well - SAW #### 2024R1.0 - 05/15/2024 - **Fixed**: - Fixed a privilege escalation in remove_source.sh (Thanks Sangwan Turner for reporting this issue) - SAW #### 2023R2.3 - 12/02/2021 - **Fixed**: - SQL injection vulnerability on one option for source coverage report (CVE-2021-28924) (thanks Lucas Carneiro from STOlabAS) - JO - XSS vulnerability on 'Source' query page (CVE-2021-28924) - JO #### 2023R2.2 - 09/22/2021 - **Fixed**: - Fixed SQL injection vulnerability on one option for source coverage report (CVE-2021-28924) (thanks Lucas Carneiro from STOlabAS) - JO #### 2.4.3 - 11/21/2019 - **Updated**: - Updated SquidGuard loaders to now support PHP versions up to 7.3 - JO #### 2.4.2 - 07/03/2019 - **Fixed**: - Fixed form authorization error on LDAP/IP add/edit server pages - JO #### 2.4.1 - 06/03/2019 - **Fixed**: - Fixed multiple security vulnerabilities - GLS - Fixed spec-release install problem - JO #### 2.4.0 - 04/04/2016 - **Fixed**: - Fixed bug causing email alerts to allow internal email addresses too (such as user@hostname) - JO - Fixed bug where queries were not using custom date time property - JO - Added ability to change the max amount of resolutions shown on the chord diagrams in global settings - JO - Added fix for performance problems starting services on 32bit versions of Network Analyzer - NSV #### 2014R1.1 - 04/15/2014 - **Fixed**: - Fixed bug that wouldn't allow deleting sourcetypes from the summary page - JO - Added ability to delete sourcetypes from the summary page - JO ``` This information covers security vulnerability fixes across multiple versions, including but not limited to SQL injection, XSS attacks, privilege escalation, and configuration errors.