Skip to content

Cerebrate v1.31 – Security & Access Control Improvements

Choose a tag to compare

View all tags
@iglocska iglocska released this 08 Jan 14:45
· 101 commits to main since this release
v1.31
This tag was signed with the committer’s verified signature.
iglocska Andras Iklody
GPG key ID: BEA224F1FEF113AC
Verified
Learn about vigilant mode.
ebaa0d5
This commit was signed with the committer’s verified signature.
iglocska Andras Iklody
GPG key ID: BEA224F1FEF113AC
Verified
Learn about vigilant mode.

Cerebrate 1.31 Release Notes

This release focuses on security hardening, access control correctness, and UI/accessibility polish, with several issues responsibly reported by the community and promptly addressed.

Security Fixes

This release addresses multiple security vulnerabilities across Cerebrate, including issues related to mass assignment handling, access control enforcement, and potential privilege escalation vectors. All issues were responsibly reported by Jeroen Pinoy (Wachizungu) and have been fully resolved. Detailed vulnerability information are published and the following GCVE have been assigned. Users are strongly encouraged to upgrade.

Access Control & Logic Fixes

  • ACLComponent permission logic

    • Corrected AND-rule evaluation logic to ensure permissions are enforced as intended.

  • Organization limitation counter

    • Tightened checks so limitation counters are only displayed for editable organizations, preventing misleading UI states.

UI, Templates & UX

  • Accessibility improvements

    • Fixed incorrect aria-label on accordion scaffold elements to improve screen reader support.

  • Error message and typo fixes

    • Corrected typos in:
      • OrgGroups tag/untag error messages
      • SharingGroups controller

Acknowledgements

Special thanks to Jeroen Pinoy (Wachizungu) for responsibly reporting multiple security issues and contributing several fixes, and for helping improve the overall security and robustness of Cerebrate.

Assets 2
Loading