Hello everyone,
The following versions of Totara Learn have now been released:
- Release 18.5
- Release 17.18
- Release 16.24
- Release 15.30
- Release 14.35
- Release 13.43
- Release 12.62
- Release 11.62
- Release 10.64
- Release 9.70
- Release 2.9.67
- Release 2.7.72
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards
Release Team
Release 18.5 (23rd April 2024):
Important:
TL-38202 Changed how the 'Use default section name' checkbox works when editing course section names
In the topics course format, when a section name is set to an empty string, the
default section name will be shown for that section. This is also true when the
name is set to {{null}}, except for section 0. When section 0’s name is set to
{{null}} the section name is hidden.
Previously, the ‘Edit topic’ form did not allow section name to be an empty
string; it was always set to {{null}} if the field was left blank, without
regard to the 'Use default section name' checkbox.
With this update, the ‘Edit topic’ form will continue to save null if the
section name field is blank, but will save '' (empty string) when the 'Use
default section name' checkbox is checked. This provides consistent behaviour
for all sections, and allows display of the default name for section 0.
This change means that the 'Use default section name' checkbox is now unchecked
for all sections. There is no change in how section names are displayed.
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
TL-39830 Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version
Included in this upgrade
* Fixed restriction bypass and potential RCE.
* Improved path validation on font through SVG inline styles.
* Prevented infinite recursion when parsing SVG document.
TL-39847 Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report
When the sidebar filter is used on an embedded report, it will attempt to reload
the report via AJAX whenever one of its filters is changed. Unfortunately the
AJAX endpoint does not have any way to re-create the controls that are used to
limit the embedded report to just the data needed for the page. As a result, a
sidebar-filtered embedded report may include records that should not be visible
to the user.
This patch fixes the issue by disabling AJAX on the sidebar filter when used on
embedded reports. When used like this, the sidebar filter will have ‘search’
and ‘clear’ buttons, and will reload the entire page just like other filters
do.
TL-39908 Fixed security issue CVE-2024-27354 and CVE-2024-27355
* Fixed the issue where attacker can construct malformed containing an extremely
large prime to cause a denial of service (CPU consumption for an isPrime
primality check)
* Fixed the issue when processing the ASN.1 object identifier of a certificate,
a sub identifier may be provided that leads to a denial of service (CPU
consumption for decodeOID)
Performance improvements:
TL-39655 Improved the performance of selecting individuals for program assignments
Improvements:
TL-39846 Improved block skip link behaviour
Block skip links will now take you to the skip link for the next block, instead
of an empty element.
TL-40067 Improved notification status checkbox aria label
TL-39890 Changed the main content skip link to point to the [role=main] div
This results in better behaviour in some screen readers that would previously
just read out "blank".
Bug fixes:
TL-36300 Increased the character length on the checkbox group for multi choice questions in performance activities
Fixed to allow the long response options to take up more space before wrapping
TL-36666 Made sure that re-certification windows account properly for daylight savings time
TL-37134 Added new class listmarkerwide for adding more padding to list elements and applied it to book conent
This is to provide space for more than 2 digits in the value attribute of a list
item
TL-37606 Added rotation of profile pictures when uploaded from phone
TL-37687 Fixed files in approval workflows not saving if there were multiple editor fields on a form
TL-38002 Made display of competencies in linked review element robust against assignment changes
Previously when a subject was unassigned from a competency that appeared in a
linked review item in performance activity, there would be a “This competency
no longer exists” message. The patch changes that message to “The assignment
for this competency no longer exists”.
The “This competency no longer exists” message now only appears if the
competency itself is deleted from the system.
TL-38064 Fixed minor inconsistent styling of feedback form elements
TL-38127 Fixed calendar mobile scroll issue
TL-38173 Prevented duplicate program/certification assignment notification after removing an exception
TL-38296 Fixed user report log string that was using "his" instead of "their"
TL-38418 The config.php cache now updates only when configuration changes
TL-38503 Tweaked the self enrolment confirmation message, after navigating away, to display the correct course
TL-38619 Improved bad performance of the "Synchronize audience members" task
TL-38652 Fixed an issue preventing user access to a report when the default saved search is deleted or made private.
TL-38692 Fixed missing user identity fields in quiz activity user override user selection menu
TL-38722 Added information about placeholders to the help text for the 'Custom parameters' field in the 'External tool configuration' form
TL-38859 Fixed email not updating in ui when changed and confirmed.
TL-39007 Fixed an error when restoring a course that has custom role names
TL-39046 Fixed error message appearing on course request page
TL-39065 Updated course completions operations to now delete cache files for a single course to improve performance
TL-39093 Changed performance activity participant selection notification to instant sending
TL-39167 Fixed the incorrect timezone showing in user reports when forced timezone was set
TL-39170 Added tenant user create post definition hook
This change introduced a new hook
\totara_tenant\hook\tenant_user_create_form_definition_complete in the tenant
user create form
TL-39198 Fixed a bug where the course/program link would open twice when clicking on the name on a learning review item
TL-39229 Fixed the legacy webapi 'core_course_update_courses' function removing course completion due dates
TL-39311 Fixed the dropdown chevron in evidence page.
TL-39397 Fixed the display of the actions/blank column in activity response reports when re-adding the column
TL-39443 Fixed that h5p activity can not be duplicated on the course view page
TL-39533 Fixed threads error in the course completion task when using a MSSQL database
TL-39631 Fixed a mismatched variable name in a totara plans deletion message
TL-39678 Added a missing table join for the course completion status in report builder
TL-39682 Updated decimal custom field to properly support comma decimal separators
TL-39687 Made “Course Search” block results page left aligned
TL-39715 Added the correct styles to the data format selector that is used for downloading table data
TL-39731 Prevented performance activity draft responses showing for other participants for sub-questions of linked review elements
TL-39821 Updated approval workflow submission process to correctly combine answers when the application changes from a later stage back to an earlier one
TL-39912 Fixed an issue where goals included in a performance activity review element could not have their full details accessed
TL-39948 Fixed that pathway course format passed incorrect course_id to the query 'format_pathway_get_course'
TL-39970 Fixed regression cause by TL-38203 which prevented activity notifications from showing in activity contexts
TL-40053 Fixed missing include in certification status audience rule
In some circumstances, the missing include could cause failures when dynamic
audiences based on the certification status rule were being updated.
TL-39975 Added an accessible label to the expand/collapse arrow on collapsible topics
TL-40072 Ensured that links in the current learning block are rendered with appropriate visual cues (such as underlines)
Tui front end framework:
TL-39951 Fixed aria-labelledby link in Tui confimration and Tui information modals
TL-40154 Progress tracker nav component now always obeys force vertical
Library updates:
TL-34628 Upgraded jquery-ui to version 1.13.2
Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184
Release 17.18 (23rd April 2024):
Important:
TL-38202 Changed how the 'Use default section name' checkbox works when editing course section names
In the topics course format, when a section name is set to an empty string, the
default section name will be shown for that section. This is also true when the
name is set to {{null}}, except for section 0. When section 0’s name is set to
{{null}} the section name is hidden.
Previously, the ‘Edit topic’ form did not allow section name to be an empty
string; it was always set to {{null}} if the field was left blank, without
regard to the 'Use default section name' checkbox.
With this update, the ‘Edit topic’ form will continue to save null if the
section name field is blank, but will save '' (empty string) when the 'Use
default section name' checkbox is checked. This provides consistent behaviour
for all sections, and allows display of the default name for section 0.
This change means that the 'Use default section name' checkbox is now unchecked
for all sections. There is no change in how section names are displayed.
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
TL-39830 Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version
Included in this upgrade
* Fixed restriction bypass and potential RCE.
* Improved path validation on font through SVG inline styles.
* Prevented infinite recursion when parsing SVG document.
TL-39847 Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report
When the sidebar filter is used on an embedded report, it will attempt to reload
the report via AJAX whenever one of its filters is changed. Unfortunately the
AJAX endpoint does not have any way to re-create the controls that are used to
limit the embedded report to just the data needed for the page. As a result, a
sidebar-filtered embedded report may include records that should not be visible
to the user.
This patch fixes the issue by disabling AJAX on the sidebar filter when used on
embedded reports. When used like this, the sidebar filter will have ‘search’
and ‘clear’ buttons, and will reload the entire page just like other filters
do.
TL-39908 Fixed security issue CVE-2024-27354 and CVE-2024-27355
* Fixed the issue where attacker can construct malformed containing an extremely
large prime to cause a denial of service (CPU consumption for an isPrime
primality check)
* Fixed the issue when processing the ASN.1 object identifier of a certificate,
a sub identifier may be provided that leads to a denial of service (CPU
consumption for decodeOID)
Performance improvements:
TL-39655 Improved the performance of selecting individuals for program assignments
Improvements:
TL-39846 Improved block skip link behaviour
Block skip links will now take you to the skip link for the next block, instead
of an empty element.
TL-40067 Improved notification status checkbox aria label
TL-39890 Changed the main content skip link to point to the [role=main] div
This results in better behaviour in some screen readers that would previously
just read out "blank".
Bug fixes:
TL-36300 Increased the character length on the checkbox group for multi choice questions in performance activities
Fixed to allow the long response options to take up more space before wrapping
TL-36666 Made sure that re-certification windows account properly for daylight savings time
TL-37134 Added new class listmarkerwide for adding more padding to list elements and applied it to book conent
This is to provide space for more than 2 digits in the value attribute of a list
item
TL-37606 Added rotation of profile pictures when uploaded from phone
TL-37687 Fixed files in approval workflows not saving if there were multiple editor fields on a form
TL-37938 Fixed misaligned true/false question element in Lesson activity
TL-38002 Made display of competencies in linked review element robust against assignment changes
Previously when a subject was unassigned from a competency that appeared in a
linked review item in performance activity, there would be a “This competency
no longer exists” message. The patch changes that message to “The assignment
for this competency no longer exists”.
The “This competency no longer exists” message now only appears if the
competency itself is deleted from the system.
TL-38064 Fixed minor inconsistent styling of feedback form elements
TL-38127 Fixed calendar mobile scroll issue
TL-38173 Prevented duplicate program/certification assignment notification after removing an exception
TL-38296 Fixed user report log string that was using "his" instead of "their"
TL-38418 The config.php cache now updates only when configuration changes
TL-38503 Tweaked the self enrolment confirmation message, after navigating away, to display the correct course
TL-38619 Improved bad performance of the "Synchronize audience members" task
TL-38652 Fixed an issue preventing user access to a report when the default saved search is deleted or made private.
TL-38692 Fixed missing user identity fields in quiz activity user override user selection menu
TL-38722 Added information about placeholders to the help text for the 'Custom parameters' field in the 'External tool configuration' form
TL-38859 Fixed email not updating in ui when changed and confirmed.
TL-39007 Fixed an error when restoring a course that has custom role names
TL-39046 Fixed error message appearing on course request page
TL-39065 Updated course completions operations to now delete cache files for a single course to improve performance
TL-39093 Changed performance activity participant selection notification to instant sending
TL-39167 Fixed the incorrect timezone showing in user reports when forced timezone was set
TL-39170 Added tenant user create post definition hook
This change introduced a new hook
\totara_tenant\hook\tenant_user_create_form_definition_complete in the tenant
user create form
TL-39198 Fixed a bug where the course/program link would open twice when clicking on the name on a learning review item
TL-39229 Fixed the legacy webapi 'core_course_update_courses' function removing course completion due dates
TL-39397 Fixed the display of the actions/blank column in activity response reports when re-adding the column
TL-39533 Fixed threads error in the course completion task when using a MSSQL database
TL-39631 Fixed a mismatched variable name in a totara plans deletion message
TL-39687 Made “Course Search” block results page left aligned
TL-39731 Prevented performance activity draft responses showing for other participants for sub-questions of linked review elements
TL-39821 Updated approval workflow submission process to correctly combine answers when the application changes from a later stage back to an earlier one
TL-40053 Fixed missing include in certification status audience rule
In some circumstances, the missing include could cause failures when dynamic
audiences based on the certification status rule were being updated.
TL-39975 Added an accessible label to the expand/collapse arrow on collapsible topics
TL-40072 Ensured that links in the current learning block are rendered with appropriate visual cues (such as underlines)
Tui front end framework:
TL-39951 Fixed aria-labelledby link in Tui confimration and Tui information modals
Library updates:
TL-34628 Upgraded jquery-ui to version 1.13.2
Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184
Release 16.24 (23rd April 2024):
Important:
TL-38202 Changed how the 'Use default section name' checkbox works when editing course section names
In the topics course format, when a section name is set to an empty string, the
default section name will be shown for that section. This is also true when the
name is set to {{null}}, except for section 0. When section 0’s name is set to
{{null}} the section name is hidden.
Previously, the ‘Edit topic’ form did not allow section name to be an empty
string; it was always set to {{null}} if the field was left blank, without
regard to the 'Use default section name' checkbox.
With this update, the ‘Edit topic’ form will continue to save null if the
section name field is blank, but will save '' (empty string) when the 'Use
default section name' checkbox is checked. This provides consistent behaviour
for all sections, and allows display of the default name for section 0.
This change means that the 'Use default section name' checkbox is now unchecked
for all sections. There is no change in how section names are displayed.
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
TL-39830 Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version
Included in this upgrade
* Fixed restriction bypass and potential RCE.
* Improved path validation on font through SVG inline styles.
* Prevented infinite recursion when parsing SVG document.
TL-39847 Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report
When the sidebar filter is used on an embedded report, it will attempt to reload
the report via AJAX whenever one of its filters is changed. Unfortunately the
AJAX endpoint does not have any way to re-create the controls that are used to
limit the embedded report to just the data needed for the page. As a result, a
sidebar-filtered embedded report may include records that should not be visible
to the user.
This patch fixes the issue by disabling AJAX on the sidebar filter when used on
embedded reports. When used like this, the sidebar filter will have ‘search’
and ‘clear’ buttons, and will reload the entire page just like other filters
do.
TL-39908 Fixed security issue CVE-2024-27354 and CVE-2024-27355
* Fixed the issue where attacker can construct malformed containing an extremely
large prime to cause a denial of service (CPU consumption for an isPrime
primality check)
* Fixed the issue when processing the ASN.1 object identifier of a certificate,
a sub identifier may be provided that leads to a denial of service (CPU
consumption for decodeOID)
Performance improvements:
TL-39655 Improved the performance of selecting individuals for program assignments
Bug fixes:
TL-36300 Increased the character length on the checkbox group for multi choice questions in performance activities
Fixed to allow the long response options to take up more space before wrapping
TL-36666 Made sure that re-certification windows account properly for daylight savings time
TL-37134 Added new class listmarkerwide for adding more padding to list elements and applied it to book conent
This is to provide space for more than 2 digits in the value attribute of a list
item
TL-37606 Added rotation of profile pictures when uploaded from phone
TL-38127 Fixed calendar mobile scroll issue
TL-38296 Fixed user report log string that was using "his" instead of "their"
TL-38418 The config.php cache now updates only when configuration changes
TL-38503 Tweaked the self enrolment confirmation message, after navigating away, to display the correct course
TL-38652 Fixed an issue preventing user access to a report when the default saved search is deleted or made private.
TL-38692 Fixed missing user identity fields in quiz activity user override user selection menu
TL-38722 Added information about placeholders to the help text for the 'Custom parameters' field in the 'External tool configuration' form
TL-39170 Added tenant user create post definition hook
This change introduced a new hook
\totara_tenant\hook\tenant_user_create_form_definition_complete in the tenant
user create form
TL-39631 Fixed a mismatched variable name in a totara plans deletion message
TL-39687 Made “Course Search” block results page left aligned
TL-39731 Prevented performance activity draft responses showing for other participants for sub-questions of linked review elements
Tui front end framework:
TL-39951 Fixed aria-labelledby link in Tui confimration and Tui information modals
Library updates:
TL-34628 Upgraded jquery-ui to version 1.13.2
Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184
Release 15.30 (23rd April 2024):
Important:
TL-38202 Changed how the 'Use default section name' checkbox works when editing course section names
In the topics course format, when a section name is set to an empty string, the
default section name will be shown for that section. This is also true when the
name is set to {{null}}, except for section 0. When section 0’s name is set to
{{null}} the section name is hidden.
Previously, the ‘Edit topic’ form did not allow section name to be an empty
string; it was always set to {{null}} if the field was left blank, without
regard to the 'Use default section name' checkbox.
With this update, the ‘Edit topic’ form will continue to save null if the
section name field is blank, but will save '' (empty string) when the 'Use
default section name' checkbox is checked. This provides consistent behaviour
for all sections, and allows display of the default name for section 0.
This change means that the 'Use default section name' checkbox is now unchecked
for all sections. There is no change in how section names are displayed.
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
TL-39830 Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version
Included in this upgrade
* Fixed restriction bypass and potential RCE.
* Improved path validation on font through SVG inline styles.
* Prevented infinite recursion when parsing SVG document.
TL-39847 Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report
When the sidebar filter is used on an embedded report, it will attempt to reload
the report via AJAX whenever one of its filters is changed. Unfortunately the
AJAX endpoint does not have any way to re-create the controls that are used to
limit the embedded report to just the data needed for the page. As a result, a
sidebar-filtered embedded report may include records that should not be visible
to the user.
This patch fixes the issue by disabling AJAX on the sidebar filter when used on
embedded reports. When used like this, the sidebar filter will have ‘search’
and ‘clear’ buttons, and will reload the entire page just like other filters
do.
TL-39908 Fixed security issue CVE-2024-27354 and CVE-2024-27355
* Fixed the issue where attacker can construct malformed containing an extremely
large prime to cause a denial of service (CPU consumption for an isPrime
primality check)
* Fixed the issue when processing the ASN.1 object identifier of a certificate,
a sub identifier may be provided that leads to a denial of service (CPU
consumption for decodeOID)
Performance improvements:
TL-39655 Improved the performance of selecting individuals for program assignments
Bug fixes:
TL-36785 Fixed PHP 8.0 related bug in phpspreadsheet library
TL-37134 Added new class listmarkerwide for adding more padding to list elements and applied it to book conent
This is to provide space for more than 2 digits in the value attribute of a list
item
TL-37606 Added rotation of profile pictures when uploaded from phone
TL-38127 Fixed calendar mobile scroll issue
TL-38296 Fixed user report log string that was using "his" instead of "their"
TL-38418 The config.php cache now updates only when configuration changes
TL-38503 Tweaked the self enrolment confirmation message, after navigating away, to display the correct course
TL-38692 Fixed missing user identity fields in quiz activity user override user selection menu
TL-39170 Added tenant user create post definition hook
This change introduced a new hook
\totara_tenant\hook\tenant_user_create_form_definition_complete in the tenant
user create form
TL-39687 Made “Course Search” block results page left aligned
TL-39731 Prevented performance activity draft responses showing for other participants for sub-questions of linked review elements
Tui front end framework:
TL-39951 Fixed aria-labelledby link in Tui confimration and Tui information modals
Library updates:
TL-34628 Upgraded jquery-ui to version 1.13.2
Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184
Release 14.35 (23rd April 2024):
Important:
TL-38202 Changed how the 'Use default section name' checkbox works when editing course section names
In the topics course format, when a section name is set to an empty string, the
default section name will be shown for that section. This is also true when the
name is set to {{null}}, except for section 0. When section 0’s name is set to
{{null}} the section name is hidden.
Previously, the ‘Edit topic’ form did not allow section name to be an empty
string; it was always set to {{null}} if the field was left blank, without
regard to the 'Use default section name' checkbox.
With this update, the ‘Edit topic’ form will continue to save null if the
section name field is blank, but will save '' (empty string) when the 'Use
default section name' checkbox is checked. This provides consistent behaviour
for all sections, and allows display of the default name for section 0.
This change means that the 'Use default section name' checkbox is now unchecked
for all sections. There is no change in how section names are displayed.
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
TL-39830 Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version
Included in this upgrade
* Fixed restriction bypass and potential RCE.
* Improved path validation on font through SVG inline styles.
* Prevented infinite recursion when parsing SVG document.
TL-39847 Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report
When the sidebar filter is used on an embedded report, it will attempt to reload
the report via AJAX whenever one of its filters is changed. Unfortunately the
AJAX endpoint does not have any way to re-create the controls that are used to
limit the embedded report to just the data needed for the page. As a result, a
sidebar-filtered embedded report may include records that should not be visible
to the user.
This patch fixes the issue by disabling AJAX on the sidebar filter when used on
embedded reports. When used like this, the sidebar filter will have ‘search’
and ‘clear’ buttons, and will reload the entire page just like other filters
do.
TL-39908 Fixed security issue CVE-2024-27354 and CVE-2024-27355
* Fixed the issue where attacker can construct malformed containing an extremely
large prime to cause a denial of service (CPU consumption for an isPrime
primality check)
* Fixed the issue when processing the ASN.1 object identifier of a certificate,
a sub identifier may be provided that leads to a denial of service (CPU
consumption for decodeOID)
Bug fixes:
TL-36785 Fixed PHP 8.0 related bug in phpspreadsheet library
TL-38127 Fixed calendar mobile scroll issue
TL-38296 Fixed user report log string that was using "his" instead of "their"
TL-38418 The config.php cache now updates only when configuration changes
TL-39687 Made “Course Search” block results page left aligned
TL-39731 Prevented performance activity draft responses showing for other participants for sub-questions of linked review elements
Tui front end framework:
TL-39951 Fixed aria-labelledby link in Tui confimration and Tui information modals
Library updates:
TL-34628 Upgraded jquery-ui to version 1.13.2
Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184
Release 13.43 (23rd April 2024):
Important:
TL-38202 Changed how the 'Use default section name' checkbox works when editing course section names
In the topics course format, when a section name is set to an empty string, the
default section name will be shown for that section. This is also true when the
name is set to {{null}}, except for section 0. When section 0’s name is set to
{{null}} the section name is hidden.
Previously, the ‘Edit topic’ form did not allow section name to be an empty
string; it was always set to {{null}} if the field was left blank, without
regard to the 'Use default section name' checkbox.
With this update, the ‘Edit topic’ form will continue to save null if the
section name field is blank, but will save '' (empty string) when the 'Use
default section name' checkbox is checked. This provides consistent behaviour
for all sections, and allows display of the default name for section 0.
This change means that the 'Use default section name' checkbox is now unchecked
for all sections. There is no change in how section names are displayed.
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
TL-39830 Upgraded phenx/php-svg-lib library to the latest version to fix security vulnerabilities fixed in this version
Included in this upgrade
* Fixed restriction bypass and potential RCE.
* Improved path validation on font through SVG inline styles.
* Prevented infinite recursion when parsing SVG document.
TL-39847 Prevented the sidebar filter from loading data that should not be visible in the context of the embedded report
When the sidebar filter is used on an embedded report, it will attempt to reload
the report via AJAX whenever one of its filters is changed. Unfortunately the
AJAX endpoint does not have any way to re-create the controls that are used to
limit the embedded report to just the data needed for the page. As a result, a
sidebar-filtered embedded report may include records that should not be visible
to the user.
This patch fixes the issue by disabling AJAX on the sidebar filter when used on
embedded reports. When used like this, the sidebar filter will have ‘search’
and ‘clear’ buttons, and will reload the entire page just like other filters
do.
TL-39908 Fixed security issue CVE-2024-27354 and CVE-2024-27355
* Fixed the issue where attacker can construct malformed containing an extremely
large prime to cause a denial of service (CPU consumption for an isPrime
primality check)
* Fixed the issue when processing the ASN.1 object identifier of a certificate,
a sub identifier may be provided that leads to a denial of service (CPU
consumption for decodeOID)
Bug fixes:
TL-38127 Fixed calendar mobile scroll issue
TL-38296 Fixed user report log string that was using "his" instead of "their"
TL-39687 Made “Course Search” block results page left aligned
Tui front end framework:
TL-39951 Fixed aria-labelledby link in Tui confimration and Tui information modals
Library updates:
TL-34628 Upgraded jquery-ui to version 1.13.2
Resolves jquery-ui CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184
Release 12.62 (23rd April 2024):
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
Release 11.62 (23rd April 2024):
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
Release 10.64 (23rd April 2024):
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
Release 9.70 (23rd April 2024):
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
Release 2.9.67 (23rd April 2024):
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.
Release 2.7.72 (23rd April 2024):
Security issues:
TL-38661 Fixed XSS when previewing course upload data
The course upload preview contained an XSS risk for users uploading unsafe data.