Patch 2018.2 Patch 3 addresses security and integrity issues identified as part of a recent deviation or through 3rd party penetration testing. It also adds one trivial change to the Audit workflows. The changes do not impact data integrity and have little/no impact on User or Functional Requirements.
These items will be independently validated at completion and a regressions suite will be executed for the patch (OQ/PQ). The PenTest will also be re-executed to verify these changes, they cannot be easily tested (or tested at all) by clients and do not alter functionality.
This release is being managed through change control 31942 and due to the possible security concerns related to this issue we will be releasing this patch with a target of 22-APR-2019.
We do not expect any downtime since there are no database changes.
ZENQ-3319 Eliminate chance of name collision on uploaded file attachments in HTML editor
ZENQ-3318 As a User, I need the Audit Approval Workflow to allow the Lead Auditor to sign for approval
Context: This is a minor change, but here is an explanation to help with your risk assessment When you publish an audit the initial workflow has an option to require lead auditor approval (default is "No"). And then it enforces a required set of workflow steps per each audit category. Currently in production when you launches this initial workflow for approval, these workflow steps will not show the lead auditor as an option in the authorized list of approvers-- even if the user is an authorized signatory. This preclusion was onerous for smaller teams especially so we have removed the automatic exclusion. If you still want to enforce this, you can decide 2 workflow steps with different users such that no one person can author and approve their own report.
ZENQ-3259 Pen Test: G.2.1 Session Fixation Attack
ZENQ-3258 Pen Test: G.1.1 Persistent XSS found on website.
PDF-42 Aspose > generated Excel does not allow strings longer than 32K
Context: In some cases exporting the value of a long text 'field' to MSExcel runs into Excel's limit on cell size, which is ~32k chars. In this case there is no problem with exported PDFs or CSVs.