Skip to content

NexoPOS 6.0.8

Choose a tag to compare

View all tags
@Blair2004 Blair2004 released this 13 Dec 15:13
· 248 commits to master since this release
v6.0.8
035dca5
This commit was signed with the committer’s verified signature.
Blair2004 Blair Jersyer
GPG key ID: 68B92D17DE34A647
Verified
Learn about vigilant mode.

Urgent Security Update Available:

We have released a critical security update for your NexoPOS. We urge all users, especially those running self-hosted environments, to update immediately to protect their data and maintain application stability.

v6.0.7 and - Security & Stability Patch

This urgent release addresses two critical security vulnerabilities related to the application's initial setup process. These vulnerabilities could potentially cause a Denial of Service (DoS) or unauthorized configuration changes.

Key Fixes in This Update: Critical Access Control Fix: We have restricted access to the Setup API endpoints (/api/setup/database) after installation. This prevents unauthorized, unauthenticated users from interacting with these internal configuration tools. **

Security Hardening of Configuration: We have patched a critical vulnerability that allowed for the injection of arbitrary values into the application's configuration file (.env) via the setup process, which could have exposed sensitive credentials or led to a complete database connection break (DoS).

Action Required:

Please update your NexoPOS module to the latest version as soon as possible to ensure your environment is fully protected.

Thank you for taking the time to look into this matter. Your security is our top priority.

Full Changelog: v6.0.7...v6.0.8

Assets 3
Loading
1 Join discussion