by Yuniar Setiawan

MachForm 29 Released. Security Update.

MachForm v29 is now available for download via your Account Area. This release addresses multiple security vulnerabilities identified in the previous version. We strongly recommend updating your installation immediately.

Security Patches

  • Stored Cross-Site Scripting (XSS): We have resolved a vulnerability in the form editor that allowed users with editing permissions to inject malicious JavaScript into the Media field.
  • Open Redirect: We addressed an issue in the login logic where the from parameter was not properly validated, potentially allowing attackers to redirect users to malicious domains upon login.
  • HTML Injection: A vulnerability in the user creation process has been fixed. Previously, insufficient validation allowed HTML code to be injected into notification emails, presenting a potential phishing vector.
  • User Enumeration: We have standardized responses in the password reset feature to prevent attackers from determining which email addresses exist in the system.

Technical Disclosure

Full technical details regarding these vulnerabilities will be published in the CVE database shortly. We will update this post with the corresponding CVE IDs as they become available.

Acknowledgments

We appreciate the work of Jacopo Taccucci for his diligence and expertise in responsibly identifying and reporting these issues.

PHP & MySQL Version Requirements

MachForm v29 requires the minimum version of PHP on your server to be at least PHP 8.1 and MySQL version at least MySQL 5.7. If you’re still using an older version, you’ll need to upgrade your PHP and/or MySQL version first.

Changelog

  • Security: Resolved a Stored Cross-Site Scripting (XSS) vulnerability within the form builder interface.
  • Security: Patched an “Open Redirect” vulnerability in the authentication flow.
  • Security: Fixed an HTML injection vulnerability affecting the user creation process.
  • Security: Mitigated a User Enumeration vector on the password reset page.
  • Security: Enhanced password policies by enforcing strong passwords and implementing a strength meter on the reset page.
  • Security: Updated administrative workflows: Admins must now generate reset links rather than changing user passwords directly.
  • Performance: Integrated the OpenSpout library to optimize memory usage when exporting large Excel datasets.
  • Performance: Optimized the “Choice Limit” logic to eliminate processing delays on forms with a high volume of fields.
  • Compatibility: Resolved code deprecation warnings to ensure full compatibility with PHP 8.5.
  • Bugfix: Fixed an issue where Microsoft 365 refresh tokens failed to renew correctly after 90 days.

How to Update

This update is provided at no cost for users with an active support contract. You can download the package from the Account Area.

Please follow the official upgrade guide here: Upgrading MachForm Self-Hosted

in Uncategorized 0 comments

You may also like

MachForm 13.1 Released. Maintenance Update.

Apple Pay is now available for MachForm!

MachForm 6 Released

Leave a comment