Hello everyone,
The following versions of Totara have now been released:
- Release 19.1.1
- Release 19.0.7
- Release 18.20
- Release 17.33
- Release 16.39
- Release 15.45
- Release 14.50
- Release 13.58
- Release 12.75
- Release 11.75
- Release 10.77
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- Andrew Mansfield at Coretxa - TL-43805
- Michael Geering at Think Learning - TL-42693, TL-42783
- Sasha Anastasi at Catalyst - TL-44716
- Steven Hughes at Think Learning - TL-41289
Kind regards
Release Team
Release 19.1.1 (29th July 2025):
Security issues:
TL-39795 Fixed IDOR on dashboard comments block (CVE-2024-25983)
TL-39918 Removed sesskey from URLs to minimise potential security concerns.
TL-42916 Enforced POST for authentication parameters when using REST webservice protocol
Additionally, a new security check has been introduced to alert site
administrators when XML-RPC or SOAP web service protocols are enabled, as these
are considered insecure. If legacy web services are still required, the REST
protocol is the recommended option. However, please note that web services are
no longer actively maintained and will eventually be deprecated and removed. For
new integrations, it is strongly recommended to use the external API.
TL-43243 Error messages that are not client aware will no longer show in internal GraphQL APIs if debugging is disabled
For internal APIs, to see the full error the site debug must be set to full or
developer level. Otherwise the error message will be hidden unless it’s
considered a client-safe one (such as a validation message).
TL-44472 Removed sesskeys when following links in the database activity module (CVE-2025-3637)
TL-44473 Fixed IDOR in RSS block to allow access to additional RSS feeds (CVE-2025-3636)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
TL-45416 Fixed a user ID enumeration problem in profiles
TL-45433 Fixed the Vimeo metadata fetch script bypassing internal CURL handlers
Performance improvements:
TL-45256 Optimised linked courses subquery to improve performance
This fixes a performance issue on the competencies tab of learning plans, when a
large number of courses were assigned to a competency.
Improvements:
TL-44920 Allowed the API user role to view all course activity types, so they can be returned in API results.
Added capabilities to the ‘apiuser’ role to ensure access to all course
activity types via api endpoints.
For new installations, the ‘apiuser’ role will automatically include these
capabilities.
For existing installations, admins will need to manually assign these
capabilities to the ‘apiuser’ role, to ensure access to all course activity
types via api endpoints.
New capabilities added:
- mod/assign:view
- mod/certificate:view
- mod/data:view
- mod/facetoface:view
- mod/feedback:view
- mod/glossary:view
- mod/lti:view
- mod/quiz:view
- mod/scorm:view
TL-45041 Added support for single tenanted Microsoft Teams integrations
The Microsoft Teams and Microsoft Teams Virtual Meetings plugins within Totara
Suite now support single-tenant Microsoft Entra (Azure AD) applications. Two new
settings — Bot tenant ID and Tenant ID — allow authentication to be scoped
to a specific tenant rather than using the global multi-tenant endpoint.
This change is backwards compatible and requires no action after upgrade unless
you use Azure apps restricted to a single tenant. In that case, you should
follow the instructions available in the public developer documentation for the
[Microsoft
Teams|https://totara.atlassian.net/wiki/spaces/DEV/pages/121184874/Setting+up+Microsoft+Teams+integration#Step-2%3A-Create-an-application-in-Azure]
and [Microsoft Teams Virtual
Meetings|https://totara.atlassian.net/wiki/spaces/DEV/pages/121185169/Setting+up+Microsoft+Teams+Virtualmeeting+plugin]
plugins respectively.
This change is necessary due to Microsoft ending support for new multi-tenant
Teams bots from 31 July 2025. Existing integrations will continue to function
without modification.
Bug fixes:
TL-35724 Enabled responsive sizing for embedded videos in Weka editor
TL-36963 Fixed SMTP debug messages appearing when sending a test theme email
TL-38525 Fixed a bug where internal URLs were being treated as external URLs when redirecting in the Microsoft Teams application
TL-39309 Fixed text in help message for badges image uploads to only state the accepted format
TL-40084 Fixed permissions checks for the Goal Custom Fields report 'Goal Name' column when viewed by indirect managers
TL-40156 Fixed PHP deprecation warning in format_array_postdata_for_curlcall()
TL-40365 Fixed checks to not display 'Create goal' button when 'Create goal' permission is removed from a user
TL-40821 Prevented "call to action" indicator in reports when user cannot work on a certification
TL-40917 Added required JavaScript to rb_source_cohort_associations so we can POST sesskey correctly
TL-40953 Fixed tenant user managers being unable to view user emails
With this change the tenant participants report now assigns the tenant context
correctly. Additionally custom tenant reports also pass the context along. In
both cases this means the email column will be visible if enabled and the user
has the correct capability.
TL-41243 Allow users to filter session attendance by 'not set' status in Seminar Sign-ups reports
TL-41289 Fixed error when using external logs with no record
TL-42016 Fixed a deprecation notice when a radio form field has no label
TL-42693 Fixed error if renaming file in Totara Forms File Manager
TL-42783 Fixed validation errors in Totara Forms File Manager
TL-43438 Changed forms.scss to restore atto editor textarea elements within totara_form to their default value
TL-43509 The test email results on the SMTP test page will now print escaped, showing the raw email content.
TL-43604 Fixed manual participant selectors for performance activities not being removed on relationship change
TL-43805 Fixed potential returning null by get_source function
TL-43894 Fixed duplication of courses in your library by workspaces
TL-44009 Fixed course images not appearing in the 'Recent files' section of image uploads
TL-44374 Improved accessibility on grid catalogue details panel
TL-44413 Improved screen reader readout for the grid catalog filter options
TL-44424 Fixed default catalogue sorting when multiple languages are enabled
TL-44427 Fixed in-progress course reset for individual users
Users with capability can reset an in-progress course for themselves or other
users. Prior to this patch, this feature inadvertently left course-level
activity completion records in place, causing completion data to appear out of
sync in the completion editor. The bug also meant that learners with a
course-in-progress reset could sometimes complete the course without
re-completing all activities.
This patch also fixes an issue in recent Totara releases that prevented
individual reset of in-progress courses. Bulk course reset ('Reset completions')
remains limited to resetting completed courses only.
TL-44677 Fixed accessibility for the legacy select tree component
TL-44685 Fixed accessibility focus return when 'Catalog share' popover is closed
TL-44689 Improved keyboard accessibility of the view toggle on grid catalogue
TL-44692 Changed HTML tags used \core_user\output\myprofile\renderer to improve accessibility
TL-44716 Fixed a validation problem with IPv6 addresses with a recent PHP update
TL-44748 Fixed lack of contrast on focus state for catalogue pagination and block add buttons
TL-44763 Fixed accessibility compliance for the notification preferences 'Expand All' button
TL-44786 News items in a course is set to the default value when converting to a course format that supports it
TL-44809 Fixed audience visibility settings check for content market place courses
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
TL-44859 Changed the default profile image to improve colour accessibility
TL-45006 Fixed excimer script type for external API
TL-45132 Added accessibility aria popup attribute for cards in explore catalogue
TL-45141 Fixed PHP exception when launching AICC SCORM
TL-45172 Fixed error in Report Builder graphs with aggregated percentage values
TL-45191 Updated the Popover component so that focus now returns to the popover trigger when the popover closes
TL-45192 Fixed missing context error for course_section resolver
TL-45216 Removed condition preventing guests from seeing the catalog block
Guest users should be able to see the catalog block the same way as the catalog
page itself. To revert this change go to the early access settings page and
disable guest_display. In Totara 20, guests will be able to see the block.
TL-45257 Fixed an issue where the Inspire theme custom HTML header and footer content was not being saved properly
TL-45266 Fixed crash when Excimer and 'dbpersist' option are enabled together on PostgreSQL
TL-45306 Fixed deprecation warning being generated in report builder display functions under PHP 8.3
TL-45348 Fixed the wording on the display order help description
TL-41760 Added descriptive labels to 'Add' and 'Remove' buttons in permissions table
TL-41791 Updated logic to apply the correct ARIA role to popovers based on the trigger
TL-42892 Fixed the accessibilty of blocks on the course view page
* The aria-labelledby attribute has been added to the 'pre' tag followed by an 'ul' and 'li' tag, in the
settings and course navigation blocks.
* The presentation role is now added when generating '/pre' nodes from ajax data
in the settings block
TL-44833 Improved accessibility for pathway format progress tracker and user toolbar
TL-45262 Removed incorrect aria role from the side panel in Messages
Technical changes:
TL-38262 Improved behat testing accuracy for notifications tests
TL-38359 Fixed a problem when loading relationships via the ORM would not work if no items were found
Recommendations engine:
TL-45560 Updated the docker base image from `python:3.11-slim-buster` to `python:3.11-slim`
Buster has reached end-of-life and the repositories were no longer accessible
causing problems when starting the docker image. With this change we no longer
tie specifically to a debian version, instead use the most valid/latest python
3.11 slim image.
This only impacted newly created instances. However if you’ve been running the
service for a while, we recommend rebuilding it to update your OS.
Contributions:
* Andrew Mansfield at Coretxa - TL-43805
* Michael Geering at Think Learning - TL-42693, TL-42783
* Sasha Anastasi at Catalyst - TL-44716
* Steven Hughes at Think Learning - TL-41289
Release 19.0.7 (29th July 2025):
Security issues:
TL-39795 Fixed IDOR on dashboard comments block (CVE-2024-25983)
TL-42916 Enforced POST for authentication parameters when using REST webservice protocol
Additionally, a new security check has been introduced to alert site
administrators when XML-RPC or SOAP web service protocols are enabled, as these
are considered insecure. If legacy web services are still required, the REST
protocol is the recommended option. However, please note that web services are
no longer actively maintained and will eventually be deprecated and removed. For
new integrations, it is strongly recommended to use the external API.
TL-43243 Error messages that are not client aware will no longer show in internal GraphQL APIs if debugging is disabled
For internal APIs, to see the full error the site debug must be set to full or
developer level. Otherwise the error message will be hidden unless it’s
considered a client-safe one (such as a validation message).
TL-44472 Removed sesskeys when following links in the database activity module (CVE-2025-3637)
TL-44473 Fixed IDOR in RSS block to allow access to additional RSS feeds (CVE-2025-3636)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
TL-45416 Fixed a user ID enumeration problem in profiles
TL-45433 Fixed the Vimeo metadata fetch script bypassing internal CURL handlers
Performance improvements:
TL-45256 Optimised linked courses subquery to improve performance
This fixes a performance issue on the competencies tab of learning plans, when a
large number of courses were assigned to a competency.
Improvements:
TL-44920 Allowed the API user role to view all course activity types, so they can be returned in API results.
Added capabilities to the ‘apiuser’ role to ensure access to all course
activity types via api endpoints.
For new installations, the ‘apiuser’ role will automatically include these
capabilities.
For existing installations, admins will need to manually assign these
capabilities to the ‘apiuser’ role, to ensure access to all course activity
types via api endpoints.
New capabilities added:
- mod/assign:view
- mod/certificate:view
- mod/data:view
- mod/facetoface:view
- mod/feedback:view
- mod/glossary:view
- mod/lti:view
- mod/quiz:view
- mod/scorm:view
TL-45041 Added support for single tenanted Microsoft Teams integrations
The Microsoft Teams and Microsoft Teams Virtual Meetings plugins within Totara
Suite now support single-tenant Microsoft Entra (Azure AD) applications. Two new
settings — Bot tenant ID and Tenant ID — allow authentication to be scoped
to a specific tenant rather than using the global multi-tenant endpoint.
This change is backwards compatible and requires no action after upgrade unless
you use Azure apps restricted to a single tenant. In that case, you should
follow the instructions available in the public developer documentation for the
[Microsoft
Teams|https://totara.atlassian.net/wiki/spaces/DEV/pages/121184874/Setting+up+Microsoft+Teams+integration#Step-2%3A-Create-an-application-in-Azure]
and [Microsoft Teams Virtual
Meetings|https://totara.atlassian.net/wiki/spaces/DEV/pages/121185169/Setting+up+Microsoft+Teams+Virtualmeeting+plugin]
plugins respectively.
This change is necessary due to Microsoft ending support for new multi-tenant
Teams bots from 31 July 2025. Existing integrations will continue to function
without modification.
TL-45656 Backported behat steps to improve navigation to program and certification pages
A new Behat step is now available to go directly to a program or certification
edit page: “I go to edit the program X” or “I go to edit the certification
X”, X being the short name of the program. This avoids going through several
admin pages to edit a program or certification details.
Bug fixes:
TL-35724 Enabled responsive sizing for embedded videos in Weka editor
TL-36963 Fixed SMTP debug messages appearing when sending a test theme email
TL-38525 Fixed a bug where internal URLs were being treated as external URLs when redirecting in the Microsoft Teams application
TL-39309 Fixed text in help message for badges image uploads to only state the accepted format
TL-40084 Fixed permissions checks for the Goal Custom Fields report 'Goal Name' column when viewed by indirect managers
TL-40156 Fixed PHP deprecation warning in format_array_postdata_for_curlcall()
TL-40365 Fixed checks to not display 'Create goal' button when 'Create goal' permission is removed from a user
TL-40821 Prevented "call to action" indicator in reports when user cannot work on a certification
TL-40917 Added required JavaScript to rb_source_cohort_associations so we can POST sesskey correctly
TL-40953 Fixed tenant user managers being unable to view user emails
With this change the tenant participants report now assigns the tenant context
correctly. Additionally custom tenant reports also pass the context along. In
both cases this means the email column will be visible if enabled and the user
has the correct capability.
TL-41243 Allow users to filter session attendance by 'not set' status in Seminar Sign-ups reports
TL-41289 Fixed error when using external logs with no record
TL-42016 Fixed a deprecation notice when a radio form field has no label
TL-42693 Fixed error if renaming file in Totara Forms File Manager
TL-42783 Fixed validation errors in Totara Forms File Manager
TL-43438 Changed forms.scss to restore atto editor textarea elements within totara_form to their default value
TL-43509 The test email results on the SMTP test page will now print escaped, showing the raw email content.
TL-43604 Fixed manual participant selectors for performance activities not being removed on relationship change
TL-43805 Fixed potential returning null by get_source function
TL-43894 Fixed duplication of courses in your library by workspaces
TL-44009 Fixed course images not appearing in the 'Recent files' section of image uploads
TL-44374 Improved accessibility on grid catalogue details panel
TL-44427 Fixed in-progress course reset for individual users
Users with capability can reset an in-progress course for themselves or other
users. Prior to this patch, this feature inadvertently left course-level
activity completion records in place, causing completion data to appear out of
sync in the completion editor. The bug also meant that learners with a
course-in-progress reset could sometimes complete the course without
re-completing all activities.
This patch also fixes an issue in recent Totara releases that prevented
individual reset of in-progress courses. Bulk course reset ('Reset completions')
remains limited to resetting completed courses only.
TL-44677 Fixed accessibility for the legacy select tree component
TL-44685 Fixed accessibility focus return when 'Catalog share' popover is closed
TL-44689 Improved keyboard accessibility of the view toggle on grid catalogue
TL-44692 Changed HTML tags used \core_user\output\myprofile\renderer to improve accessibility
TL-44716 Fixed a validation problem with IPv6 addresses with a recent PHP update
TL-44763 Fixed accessibility compliance for the notification preferences 'Expand All' button
TL-44786 News items in a course is set to the default value when converting to a course format that supports it
TL-44809 Fixed audience visibility settings check for content market place courses
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
TL-44859 Changed the default profile image to improve colour accessibility
TL-45141 Fixed PHP exception when launching AICC SCORM
TL-45172 Fixed error in Report Builder graphs with aggregated percentage values
TL-45191 Updated the Popover component so that focus now returns to the popover trigger when the popover closes
TL-45192 Fixed missing context error for course_section resolver
TL-45216 Removed condition preventing guests from seeing the catalog block
Guest users should be able to see the catalog block the same way as the catalog
page itself. To revert this change and hide the catalog block for guests, set
$CFG->revert_TL_45216_until_T1911 = true; in your config file. This setting will
be an accessible under the early access settings page in Totara 19.1.1 and will
be removed in Totara 20 (guests will be able to see the block).
TL-45257 Fixed an issue where the Inspire theme custom HTML header and footer content was not being saved properly
TL-45306 Fixed deprecation warning being generated in report builder display functions under PHP 8.3
TL-41760 Added descriptive labels to 'Add' and 'Remove' buttons in permissions table
TL-41791 Updated logic to apply the correct ARIA role to popovers based on the trigger
TL-42892 Fixed the accessibilty of blocks on the course view page
* The aria-labelledby attribute has been added to the 'pre' tag followed by an 'ul' and 'li' tag, in the
settings and course navigation blocks.
* The presentation role is now added when generating '/pre' nodes from ajax data
in the settings block
TL-44833 Improved accessibility for pathway format progress tracker and user toolbar
TL-45262 Removed incorrect aria role from the side panel in Messages
Technical changes:
TL-38262 Improved behat testing accuracy for notifications tests
TL-38359 Fixed a problem when loading relationships via the ORM would not work if no items were found
Recommendations engine:
TL-45560 Updated the docker base image from `python:3.11-slim-buster` to `python:3.11-slim`
Buster has reached end-of-life and the repositories were no longer accessible
causing problems when starting the docker image. With this change we no longer
tie specifically to a debian version, instead use the most valid/latest python
3.11 slim image.
This only impacted newly created instances. However if you’ve been running the
service for a while, we recommend rebuilding it to update your OS.
Contributions:
* Andrew Mansfield at Coretxa - TL-43805
* Michael Geering at Think Learning - TL-42693, TL-42783
* Sasha Anastasi at Catalyst - TL-44716
* Steven Hughes at Think Learning - TL-41289
Release 18.20 (29th July 2025):
Security issues:
TL-39795 Fixed IDOR on dashboard comments block (CVE-2024-25983)
TL-42916 Enforced POST for authentication parameters when using REST webservice protocol
Additionally, a new security check has been introduced to alert site
administrators when XML-RPC or SOAP web service protocols are enabled, as these
are considered insecure. If legacy web services are still required, the REST
protocol is the recommended option. However, please note that web services are
no longer actively maintained and will eventually be deprecated and removed. For
new integrations, it is strongly recommended to use the external API.
TL-44472 Removed sesskeys when following links in the database activity module (CVE-2025-3637)
TL-44473 Fixed IDOR in RSS block to allow access to additional RSS feeds (CVE-2025-3636)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
TL-45416 Fixed a user ID enumeration problem in profiles
TL-45433 Fixed the Vimeo metadata fetch script bypassing internal CURL handlers
Improvements:
TL-45041 Added support for single tenanted Microsoft Teams integrations
The Microsoft Teams and Microsoft Teams Virtual Meetings plugins within Totara
Suite now support single-tenant Microsoft Entra (Azure AD) applications. Two new
settings — Bot tenant ID and Tenant ID — allow authentication to be scoped
to a specific tenant rather than using the global multi-tenant endpoint.
This change is backwards compatible and requires no action after upgrade unless
you use Azure apps restricted to a single tenant. In that case, you should
follow the instructions available in the public developer documentation for the
[Microsoft
Teams|https://totara.atlassian.net/wiki/spaces/DEV/pages/121184874/Setting+up+Microsoft+Teams+integration#Step-2%3A-Create-an-application-in-Azure]
and [Microsoft Teams Virtual
Meetings|https://totara.atlassian.net/wiki/spaces/DEV/pages/121185169/Setting+up+Microsoft+Teams+Virtualmeeting+plugin]
plugins respectively.
This change is necessary due to Microsoft ending support for new multi-tenant
Teams bots from 31 July 2025. Existing integrations will continue to function
without modification.
TL-45656 Backported behat steps to improve navigation to program and certification pages
2 new Behat steps are added to create or edit a program/certification: “I go
to the program creation form”, “I go to edit the program X” and “I go to
edit the certification X”, X being the short name of the program being edited.
This avoids going through several admin pages to edit a program or certification
details.
Bug fixes:
TL-35724 Enabled responsive sizing for embedded videos in Weka editor
TL-36963 Fixed SMTP debug messages appearing when sending a test theme email
TL-38525 Fixed a bug where internal URLs were being treated as external URLs when redirecting in the Microsoft Teams application
TL-40084 Fixed permissions checks for the Goal Custom Fields report 'Goal Name' column when viewed by indirect managers
TL-40365 Fixed checks to not display 'Create goal' button when 'Create goal' permission is removed from a user
TL-40821 Prevented "call to action" indicator in reports when user cannot work on a certification
TL-40917 Added required JavaScript to rb_source_cohort_associations so we can POST sesskey correctly
TL-40953 Fixed tenant user managers being unable to view user emails
With this change the tenant participants report now assigns the tenant context
correctly. Additionally custom tenant reports also pass the context along. In
both cases this means the email column will be visible if enabled and the user
has the correct capability.
TL-41243 Allow users to filter session attendance by 'not set' status in Seminar Sign-ups reports
TL-41289 Fixed error when using external logs with no record
TL-42016 Fixed a deprecation notice when a radio form field has no label
TL-42693 Fixed error if renaming file in Totara Forms File Manager
TL-42783 Fixed validation errors in Totara Forms File Manager
TL-43509 The test email results on the SMTP test page will now print escaped, showing the raw email content.
TL-43604 Fixed manual participant selectors for performance activities not being removed on relationship change
TL-43894 Fixed duplication of courses in your library by workspaces
TL-44009 Fixed course images not appearing in the 'Recent files' section of image uploads
TL-44374 Improved accessibility on grid catalogue details panel
TL-44427 Fixed in-progress course reset for individual users
Users with capability can reset an in-progress course for themselves or other
users. Prior to this patch, this feature inadvertently left course-level
activity completion records in place, causing completion data to appear out of
sync in the completion editor. The bug also meant that learners with a
course-in-progress reset could sometimes complete the course without
re-completing all activities.
This patch also fixes an issue in recent Totara releases that prevented
individual reset of in-progress courses. Bulk course reset ('Reset completions')
remains limited to resetting completed courses only.
TL-44677 Fixed accessibility for the legacy select tree component
TL-44685 Fixed accessibility focus return when 'Catalog share' popover is closed
TL-44689 Improved keyboard accessibility of the view toggle on grid catalogue
TL-44692 Changed HTML tags used \core_user\output\myprofile\renderer to improve accessibility
TL-44763 Fixed accessibility compliance for the notification preferences 'Expand All' button
TL-44786 News items in a course is set to the default value when converting to a course format that supports it
TL-44809 Fixed audience visibility settings check for content market place courses
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
TL-44859 Changed the default profile image to improve colour accessibility
TL-45141 Fixed PHP exception when launching AICC SCORM
TL-45172 Fixed error in Report Builder graphs with aggregated percentage values
TL-41760 Added descriptive labels to 'Add' and 'Remove' buttons in permissions table
TL-41791 Updated logic to apply the correct ARIA role to popovers based on the trigger
Technical changes:
TL-38262 Improved behat testing accuracy for notifications tests
TL-38359 Fixed a problem when loading relationships via the ORM would not work if no items were found
Contributions:
* Michael Geering at Think Learning - TL-42693, TL-42783
* Steven Hughes at Think Learning - TL-41289
Release 17.33 (29th July 2025):
Security issues:
TL-39795 Fixed IDOR on dashboard comments block (CVE-2024-25983)
TL-42916 Enforced POST for authentication parameters when using REST webservice protocol
Additionally, a new security check has been introduced to alert site
administrators when XML-RPC or SOAP web service protocols are enabled, as these
are considered insecure. If legacy web services are still required, the REST
protocol is the recommended option. However, please note that web services are
no longer actively maintained and will eventually be deprecated and removed. For
new integrations, it is strongly recommended to use the external API.
TL-44472 Removed sesskeys when following links in the database activity module (CVE-2025-3637)
TL-44473 Fixed IDOR in RSS block to allow access to additional RSS feeds (CVE-2025-3636)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
TL-45416 Fixed a user ID enumeration problem in profiles
TL-45433 Fixed the Vimeo metadata fetch script bypassing internal CURL handlers
Improvements:
TL-45041 Added support for single tenanted Microsoft Teams integrations
The Microsoft Teams and Microsoft Teams Virtual Meetings plugins within Totara
Suite now support single-tenant Microsoft Entra (Azure AD) applications. Two new
settings — Bot tenant ID and Tenant ID — allow authentication to be scoped
to a specific tenant rather than using the global multi-tenant endpoint.
This change is backwards compatible and requires no action after upgrade unless
you use Azure apps restricted to a single tenant. In that case, you should
follow the instructions available in the public developer documentation for the
[Microsoft
Teams|https://totara.atlassian.net/wiki/spaces/DEV/pages/121184874/Setting+up+Microsoft+Teams+integration#Step-2%3A-Create-an-application-in-Azure]
and [Microsoft Teams Virtual
Meetings|https://totara.atlassian.net/wiki/spaces/DEV/pages/121185169/Setting+up+Microsoft+Teams+Virtualmeeting+plugin]
plugins respectively.
This change is necessary due to Microsoft ending support for new multi-tenant
Teams bots from 31 July 2025. Existing integrations will continue to function
without modification.
TL-45656 Backported behat steps to improve navigation to program and certification pages
2 new Behat steps are added to create or edit a program/certification: “I go
to the program creation form”, “I go to edit the program X” and “I go to
edit the certification X”, X being the short name of the program being edited.
This avoids going through several admin pages to edit a program or certification
details.
Bug fixes:
TL-35724 Enabled responsive sizing for embedded videos in Weka editor
TL-40084 Fixed permissions checks for the Goal Custom Fields report 'Goal Name' column when viewed by indirect managers
TL-40821 Prevented "call to action" indicator in reports when user cannot work on a certification
TL-41243 Allow users to filter session attendance by 'not set' status in Seminar Sign-ups reports
TL-41289 Fixed error when using external logs with no record
TL-44427 Fixed in-progress course reset for individual users
Users with capability can reset an in-progress course for themselves or other
users. Prior to this patch, this feature inadvertently left course-level
activity completion records in place, causing completion data to appear out of
sync in the completion editor. The bug also meant that learners with a
course-in-progress reset could sometimes complete the course without
re-completing all activities.
This patch also fixes an issue in recent Totara releases that prevented
individual reset of in-progress courses. Bulk course reset ('Reset completions')
remains limited to resetting completed courses only.
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
TL-45141 Fixed PHP exception when launching AICC SCORM
Technical changes:
TL-38262 Improved behat testing accuracy for notifications tests
TL-38359 Fixed a problem when loading relationships via the ORM would not work if no items were found
Contributions:
* Steven Hughes at Think Learning - TL-41289
Release 16.39 (29th July 2025):
Security issues:
TL-39795 Fixed IDOR on dashboard comments block (CVE-2024-25983)
TL-44472 Removed sesskeys when following links in the database activity module (CVE-2025-3637)
TL-44473 Fixed IDOR in RSS block to allow access to additional RSS feeds (CVE-2025-3636)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
TL-45433 Fixed the Vimeo metadata fetch script bypassing internal CURL handlers
Improvements:
TL-45041 Added support for single tenanted Microsoft Teams integrations
The Microsoft Teams and Microsoft Teams Virtual Meetings plugins within Totara
Suite now support single-tenant Microsoft Entra (Azure AD) applications. Two new
settings — Bot tenant ID and Tenant ID — allow authentication to be scoped
to a specific tenant rather than using the global multi-tenant endpoint.
This change is backwards compatible and requires no action after upgrade unless
you use Azure apps restricted to a single tenant. In that case, you should
follow the instructions available in the public developer documentation for the
[Microsoft
Teams|https://totara.atlassian.net/wiki/spaces/DEV/pages/121184874/Setting+up+Microsoft+Teams+integration#Step-2%3A-Create-an-application-in-Azure]
and [Microsoft Teams Virtual
Meetings|https://totara.atlassian.net/wiki/spaces/DEV/pages/121185169/Setting+up+Microsoft+Teams+Virtualmeeting+plugin]
plugins respectively.
This change is necessary due to Microsoft ending support for new multi-tenant
Teams bots from 31 July 2025. Existing integrations will continue to function
without modification.
TL-45656 Backported behat steps to improve navigation to program and certification pages
2 new Behat steps are added to create or edit a program/certification: “I go
to the program creation form”, “I go to edit the program X” and “I go to
edit the certification X”, X being the short name of the program being edited.
This avoids going through several admin pages to edit a program or certification
details.
Bug fixes:
TL-41289 Fixed error when using external logs with no record
TL-44427 Fixed in-progress course reset for individual users
Users with capability can reset an in-progress course for themselves or other
users. Prior to this patch, this feature inadvertently left course-level
activity completion records in place, causing completion data to appear out of
sync in the completion editor. The bug also meant that learners with a
course-in-progress reset could sometimes complete the course without
re-completing all activities.
This patch also fixes an issue in recent Totara releases that prevented
individual reset of in-progress courses. Bulk course reset ('Reset completions')
remains limited to resetting completed courses only.
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
Contributions:
* Steven Hughes at Think Learning - TL-41289
Release 15.45 (29th July 2025):
Security issues:
TL-39795 Fixed IDOR on dashboard comments block (CVE-2024-25983)
TL-44472 Removed sesskeys when following links in the database activity module (CVE-2025-3637)
TL-44473 Fixed IDOR in RSS block to allow access to additional RSS feeds (CVE-2025-3636)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
TL-45433 Fixed the Vimeo metadata fetch script bypassing internal CURL handlers
Improvements:
TL-45041 Added support for single tenanted Microsoft Teams integrations
The Microsoft Teams and Microsoft Teams Virtual Meetings plugins within Totara
Suite now support single-tenant Microsoft Entra (Azure AD) applications. Two new
settings — Bot tenant ID and Tenant ID — allow authentication to be scoped
to a specific tenant rather than using the global multi-tenant endpoint.
This change is backwards compatible and requires no action after upgrade unless
you use Azure apps restricted to a single tenant. In that case, you should
follow the instructions available in the public developer documentation for the
[Microsoft
Teams|https://totara.atlassian.net/wiki/spaces/DEV/pages/121184874/Setting+up+Microsoft+Teams+integration#Step-2%3A-Create-an-application-in-Azure]
and [Microsoft Teams Virtual
Meetings|https://totara.atlassian.net/wiki/spaces/DEV/pages/121185169/Setting+up+Microsoft+Teams+Virtualmeeting+plugin]
plugins respectively.
This change is necessary due to Microsoft ending support for new multi-tenant
Teams bots from 31 July 2025. Existing integrations will continue to function
without modification.
TL-45656 Backported behat steps to improve navigation to program and certification pages
2 new Behat steps are added to create or edit a program/certification: “I go
to the program creation form”, “I go to edit the program X” and “I go to
edit the certification X”, X being the short name of the program being edited.
This avoids going through several admin pages to edit a program or certification
details.
Bug fixes:
TL-44427 Fixed in-progress course reset for individual users
Users with capability can reset an in-progress course for themselves or other
users. Prior to this patch, this feature inadvertently left course-level
activity completion records in place, causing completion data to appear out of
sync in the completion editor. The bug also meant that learners with a
course-in-progress reset could sometimes complete the course without
re-completing all activities.
This patch also fixes an issue in recent Totara releases that prevented
individual reset of in-progress courses. Bulk course reset ('Reset completions')
remains limited to resetting completed courses only.
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
Release 14.50 (29th July 2025):
Security issues:
TL-44472 Removed sesskeys when following links in the database activity module (CVE-2025-3637)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
Bug fixes:
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
Release 13.58 (29th July 2025):
Security issues:
TL-44472 Removed sesskeys when following links in the database activity module (CVE-2025-3637)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
Bug fixes:
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
Release 12.75 (29th July 2025):
Security issues:
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
Release 11.75 (29th July 2025):
Security issues:
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
Release 10.77 (29th July 2025):
Security issues:
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)