Hello everyone,
The following versions of Totara have now been released:
- Release 19.1.2
- Release 19.0.8
- Release 18.21
- Release 17.34
- Release 16.40
- Release 15.46
- Release 14.51
- Release 13.59
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- Davo Smith - Synergy Learning - TL-45319
Kind regards
Release Team
Release 19.1.2 (25th August 2025):
Security issues:
TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)
Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.
Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.
TL-45738 Fixed a potential XSS vunerability in Tui core
Performance improvements:
TL-45319 Temporary managers are no longer checked with user relationships if the feature is disabled
On a site with a large number of job assignments it can be expensive to check if
there are temporary managers even if the feature is not used.
With this change in place the temporary manager check only occurs if the option
is enabled and at least one temporary manager exists.
Improvements:
TL-35330 Added new HR Import setting to allow users to configure the threshold percentage for uploading new records without seeing a confirmation message
Currently a user importing records into the system with fewer records in the
source than in the system and "Source contains all records" set will see a
confirmation dialogue that they will need to approve before the import can take
place.
With this change, a new setting has been added that can be tuned so that the
message only appears when the minimum records threshold percentage is not met.
This will allow users to tacitly accept consequences for uploading fewer records
than there are in the system if "Source contains all records" is set.
Bug fixes:
TL-38044 Fixed an issue where tenant theme custom colours were not saving
TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
TL-41785 Fixed performance activity notification messages for external participants on participant instance reopening
TL-42698 Fixed incorrect due date showing on assignment group summary page
TL-43798 Auto-login as Guest no longer requires the login page guest button to be visible
This fix removes the hidden requirement for the guest button to appear on the
login page for auto-login guest access to work. With this change auto-login
guests can happen without the login page showing the guest sign in button.
TL-43838 Fixed check for existing records in the record of learning
Fixed a potential concurrency issue while inserting records into table
'dp_record_of_learning', which could conflict if executed at the same time as
the 'Synchronise audience members' scheduled task.
TL-44750 Added screen reader announcements for grid and explore catalogue result count changes
TL-44823 Fixed bug where the log store was not using the provided options with SQL Server
The following new settings were added to the external database configuration for
logs:
* Connection encryption
* Trust server certificate
These settings will only be applied to Microsoft SQL Server.
TL-44835 Fixed bug where Auth DB was not using the provided config options with SQL Server
The following new settings were added to the external database configuration for
authentication:
* Connection pooling
* Connection encryption
* Trust server certificate
These settings will only be applied to Microsoft SQL Server.
TL-45273 Fixed tenant custom footer and email branding still appearing when tenant branding has been disabled
TL-45394 Fixed issue where the downloadable icon was not displaying for all downloadable courses in the Find Learning section of the mobile app
Added the following capabilities to the 'Authenticated user' role for new
installs, matching other module permissions, so that checks for downloadable
activities in the mobile app could be run more accurately prior to enrolment on
the course. If this is functionality you use on an existing site, we recommend
adding the same capabilities:
* mod/scorm:view
* mod/certificate:view
TL-45445 Added missing language string in reportbuilder
TL-45542 Fixed notification debugging not being displayed in cron logs
TL-45677 Updated mobile language strings to be in line with the app
TL-45702 Fixed the Excimer purge data failure caused by invalid dates
The Excimer purge date was calculated from the current day. It is now calculated
from the first day of the month to avoid edge cases with invalid dates, such as
the 29th February.
TL-45816 Removed the hard-coded expiry date from the job assignment unit test
TL-45871 Fixed a problem where OAuth provider error messages were lost when Totara tried to fetch an access token
When connecting a system account to an OAuth provider, if the response was not a
200 success status any error message returned would be ignored and a generic
“Could not upgrade oauth token” message was shown. This fix now means a more
specific message is shown regardless if the status is 200 or not, and if
debugging is enabled the provider’s message is shown.
TL-42574 Added the region name to the 'Add a block' button title
Contributions:
* Davo Smith - Synergy Learning - TL-45319
Release 19.0.8 (25th August 2025):
Security issues:
TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)
Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.
Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.
TL-45738 Fixed a potential XSS vunerability in Tui core
Performance improvements:
TL-45319 Temporary managers are no longer checked with user relationships if the feature is disabled
On a site with a large number of job assignments it can be expensive to check if
there are temporary managers even if the feature is not used.
With this change in place the temporary manager check only occurs if the option
is enabled and at least one temporary manager exists.
Bug fixes:
TL-38044 Fixed an issue where tenant theme custom colours were not saving
TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
TL-41785 Fixed performance activity notification messages for external participants on participant instance reopening
TL-42698 Fixed incorrect due date showing on assignment group summary page
TL-43798 Auto-login as Guest no longer requires the login page guest button to be visible
This fix removes the hidden requirement for the guest button to appear on the
login page for auto-login guest access to work. With this change auto-login
guests can happen without the login page showing the guest sign in button.
TL-43838 Fixed check for existing records in the record of learning
Fixed a potential concurrency issue while inserting records into table
'dp_record_of_learning', which could conflict if executed at the same time as
the 'Synchronise audience members' scheduled task.
TL-44750 Added screen reader announcements for grid and explore catalogue result count changes
TL-44823 Fixed bug where the log store was not using the provided options with SQL Server
The following new settings were added to the external database configuration for
logs:
* Connection encryption
* Trust server certificate
These settings will only be applied to Microsoft SQL Server.
TL-44835 Fixed bug where Auth DB was not using the provided config options with SQL Server
The following new settings were added to the external database configuration for
authentication:
* Connection pooling
* Connection encryption
* Trust server certificate
These settings will only be applied to Microsoft SQL Server.
TL-45273 Fixed tenant custom footer and email branding still appearing when tenant branding has been disabled
TL-45445 Added missing language string in reportbuilder
TL-45542 Fixed notification debugging not being displayed in cron logs
TL-45677 Updated mobile language strings to be in line with the app
TL-45816 Removed the hard-coded expiry date from the job assignment unit test
TL-45871 Fixed a problem where OAuth provider error messages were lost when Totara tried to fetch an access token
When connecting a system account to an OAuth provider, if the response was not a
200 success status any error message returned would be ignored and a generic
“Could not upgrade oauth token” message was shown. This fix now means a more
specific message is shown regardless if the status is 200 or not, and if
debugging is enabled the provider’s message is shown.
TL-42574 Added the region name to the 'Add a block' button title
Contributions:
* Davo Smith - Synergy Learning - TL-45319
Release 18.21 (25th August 2025):
Security issues:
TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)
Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.
Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.
TL-45738 Fixed a potential XSS vunerability in Tui core
Performance improvements:
TL-45319 Temporary managers are no longer checked with user relationships if the feature is disabled
On a site with a large number of job assignments it can be expensive to check if
there are temporary managers even if the feature is not used.
With this change in place the temporary manager check only occurs if the option
is enabled and at least one temporary manager exists.
Bug fixes:
TL-38044 Fixed an issue where tenant theme custom colours were not saving
TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
TL-39781 Fixed program assignment due date changes not being deferred
When a due date is added or updated on a program or certification assignment,
the change will be deferred rather than being applied immediately. This prevents
problems on large sites. This change was applied in a previous ticket in Totara
19.0 and above.
TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
TL-41785 Fixed performance activity notification messages for external participants on participant instance reopening
TL-42698 Fixed incorrect due date showing on assignment group summary page
TL-43838 Fixed check for existing records in the record of learning
Fixed a potential concurrency issue while inserting records into table
'dp_record_of_learning', which could conflict if executed at the same time as
the 'Synchronise audience members' scheduled task.
TL-44750 Added screen reader announcements for grid and explore catalogue result count changes
TL-45273 Fixed tenant custom footer and email branding still appearing when tenant branding has been disabled
TL-45445 Added missing language string in reportbuilder
TL-45542 Fixed notification debugging not being displayed in cron logs
TL-45816 Removed the hard-coded expiry date from the job assignment unit test
TL-42574 Added the region name to the 'Add a block' button title
Contributions:
* Davo Smith - Synergy Learning - TL-45319
Release 17.34 (25th August 2025):
Security issues:
TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)
Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.
Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.
TL-45738 Fixed a potential XSS vunerability in Tui core
Bug fixes:
TL-38044 Fixed an issue where tenant theme custom colours were not saving
TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
TL-45816 Removed the hard-coded expiry date from the job assignment unit test
Release 16.40 (25th August 2025):
Security issues:
TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)
Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.
Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.
TL-45738 Fixed a potential XSS vunerability in Tui core
Bug fixes:
TL-38044 Fixed an issue where tenant theme custom colours were not saving
Release 15.46 (25th August 2025):
Security issues:
TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)
Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.
Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.
TL-45738 Fixed a potential XSS vunerability in Tui core
Bug fixes:
TL-38044 Fixed an issue where tenant theme custom colours were not saving
Release 14.51 (25th August 2025):
Security issues:
TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)
Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.
Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.
TL-45738 Fixed a potential XSS vunerability in Tui core
Bug fixes:
TL-38044 Fixed an issue where tenant theme custom colours were not saving
Release 13.59 (25th August 2025):
Security issues:
TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)
Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.
Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.
TL-45738 Fixed a potential XSS vunerability in Tui core