This is a maintenance release featuring a few minor bugs and accessibility improvements, and addressing some security vulnerabilities.
Thanks to Dell'Orco Antonio for Deloitte Risk Advisory Italy for reporting!
Changelog:
- # - fix report and sms manager
- # - fix groupmanagement acl
- # - fix static function call
- # - fix mailer and advanced search
- # - #20179 - SQL injection vulnerability in appLms/ajax.adm_server.php?r=widget/userselector/getusertabledata - CVE-2022-42924
- # - #20070 - Vulnerability - SQL Injection in adm/mediagallery/delete - CVE-2022-42923
- # - #20069 - Vulnerability - XSS in appLms/index.php?modname=faq&op=play - CVE-2022-41679
- # - #20177 - Vulnerability reflected-XSS in the title of discussions in the course forums - CVE-2023-46693
- # - #20178 - Vulnerability reflected-XSS in management of educational objects, through the FAQ title - CVE-2023-46693
- # - #20176 - Vulnerability reflected-XSS in the title parameter of the course advice - CVE-2023-46693
- # - fix typo in smtp password property handler
- # - fix lib.subscribe.php exception
- # - update composer libraries
- # - fix track object static properties definition and usage.
- # - fix typo in advice
- # - fix course end date when course_date is null
- # - fix soaplms adding not defined class properties
- # - fix system status check screen
- # - Fix learning object visibility for students.
- # - add migration to reset from 0000-00-00 00:00:00 to null learning object visibility.
- # - update readme
- # - #20174: fixed navigation with keyboard inside course's LOs, sized some fonts to 12px
- # - remove canRelExceptional function
- # - Upgraded template version number
- # - #20173: added highlight on focus of LO items
- # - add not assigned option in folder template and required domain and title in admindomain
- # - reverted back tinymce component
- # - Fixed issues related to classroom courses in calendar widget; improved accessibility for course date classroom courses popup.
- # - fix mod template in node selectors
