mautic/mautic

Change Log

Security

• Prevented updating custom fields that were not set as publicly updateable
• Fixed theme's Author URL XSS vulnerability (Reported by @joanbono)
• Fixed company name XSS vulnerability (Reported by @joanbono)

Features

• #6201 Feature install plugins command (@escopecz)
• #6132 Allow a contact to go through a campaign multiple times (@alanhartless)
• #6107 Company level email data reporting API (@Dreiser)
• #6060 Adds option to set custom headers for emails (@alanhartless)
• #5974 UTM tags - add a report for UTM tags (@Maxell92)
• #5869 [Enhancement] Allow filtering contacts by UTM data within campaigns. (@heathdutton)
• #5623 Builder preview button (@GaberNeighbor)
• #5344 Command to deduplicate contacts (@alanhartless)

Enhancements

• #6295 SMS transport use Lead instead of hardcoded phone (@alanhartless)
• #6292 Add campaign ID to the Momentum payload (@alanhartless)
• #6221 Add support to dispatch CampaignEvents::ON_EVENT_SCHEDULED_BATCH for the batch of failed rescheduled jobs (@alanhartless)
• #6215 New campaign action to jump to another event in the current campaign (@dongilbert)
• #6127 Add close button to form results (@kuzmany)
• #6120 Add FormBuilder to CustomFormEvent so plugins could modify Mautic forms (@escopecz)
• #6086 [Improvement] Add an index for manually_removed. (@heathdutton)
• #6074 Change default behavior for Send form results action (@dongilbert)
• #6073 Momentum Integration (@Dreiser)
• #6043 Store tokens in redirect URLs and replace the tokens on redirect (@escopecz)
• #6036 Dispatch event before Report's query execution for plugins to alter query (@scottshipman)
• #6016 Inject new custom content hooks below graphs (@kuzmany)
• #5980 Phpstan Travis check for Config and DashboardBundles (@escopecz)
• #5942 Complete refactoring of campaign processing (@alanhartless)
• #5886 [Enhancement] Allow filtering contacts by UTM data for segments. (@heathdutton)
• #5849 Display list of contacts on click in Click stats table across all channel (@kuzmany)
• #5781 Email code improvements (@escopecz)
• #5755 Segment refactoring (@Maxell92)
• #5728 Disable trackable urls in SMS integration (@kuzmany)

Bugs

• #6322 Fixed bug introduced in campaign refactoring that prevented some decisions from being evaluated (@alanhartless)
• #6294 Decouple Twilio from enabling campaign and channel subscribers (@alanhartless)
• #6293 Fixed bug that prevented push to campaign from working if we did not update the SF person (@alanhartless)
• #6287 Fix critical error when user hit email but lead is deleted (@Enc3phale)
• #6285 Fix widget events trigger in time (@Dcoutelle)
• #6260 Fix compatibility between tokens and redirect links (@alanhartless)
• #6246 Fix typo in PlainText Message Helper classname (@maxlawton)
• #6244 Decode special characters before setting from name (@alanhartless)
• #6239 Fix: Remove tags in campaign action (@kuzmany)
• #6238 Fix permission when cloning object (@Enc3phale)
• #6229 Fixed contact identification in clickthroughs generated in dynamic content and fixed fatal error for direct-to-contact sends (@alanhartless)
• #6222 Chart time unit (@scottshipman)
• #6208 Fixed extracting channel from event properties (@alanhartless)
• #6207 [Bugfix] Scheduled Campaign Events without Contacts (@dongilbert)
• #6200 Stop progress bar on ajax complete to account for timeouts (@escopecz)
• #6190 Bug empty csv header (@escopecz)
• #6176 Fixed BC break where property changes were no longer included in the fields array for getChanges() (@alanhartless)
• #6174 Correct the method used to clean URL (@Enc3phale)
• #6173 Fix reports when a column is added to aggregator and not to select (@escopecz)
• #6170 Do not generate company name from email address domain (@escopecz)
• #6169 Changed label from sent to opened (@Enc3phale)
• #6163 Set owner_id when sending emails via campaign to support owner is mailer (@escopecz)
• #6160 Fixed PHP notice during contact merging and redirects with asset and page link tokens (@escopecz)
• #6131 Prevent tracking device against a Mautic user (@alanhartless)
• #6118 Prevent points from getting reset after primary company is set (@alanhartless)
• #6116 Add field type url to work with contains, startsWith, endsWith on reports (@escopecz)
• #6098 Fixing duplicated tracking hashes (@hammad-tfg)
• #6085 Add Contact ID column into form results table (@escopecz)
• #6084 Fixes some things with merged #6060 custom headers (@alanhartless)
• #6083 Webhook payload type fixed (@escopecz)
• #6069 Fixed missing graph on the email reports (@escopecz)
• #6061 Fix form mapped field radio and checkbox group company (@kuzmany)
• #6041 Validate time units for data API endpoint (@escopecz)
• #6010 Prevent .1 from appending to theme filepath resulting in inability to download (@alanhartless)
• #6002 Make pre-comit hook executable (@escopecz)
• #5999 Multiselect - clearing all values on Company form fixed (@escopecz)
• #5993 Close button in segments redirect to view controller (@kuzmany)
• #5990 API getList endpoint without viewOther permission fixed (@enguerr)
• #5922 Support syncList form in Focus (@kuzmany)
• #5915 Fix: Update company fields If company exist on form submit (@kuzmany)
• #5875 [Bug] SQL error if no field is chosen for "Form field value" conditional. (@heathdutton)
• #5844 remove the hidden-xs class on Do Not Contact action on contact list mobile view (@guillaumedufour)
• #5777 fixing font (@GaberNeighbor)
• #5753 Fixed double return : unreachable code after return statement (@mtahiue)
• #5637 fix validation email exists (@Noa83)

Dev Notes

A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @Dcoutelle, @dongilbert, @Dreiser, @Enc3phale, @enguerr, @escopecz, @GaberNeighbor, @GabriGreese, @guillaumedufour, @hammad-tfg, @heathdutton, @isleshocky77, @johbuch, @jonasstinkens, @justinfortes, @kuzmany, @luizeof, @Maxell92, @maxlawton, @Mazzim, @mtahiue, @Noa83, @npracht, @panchtatvam, @r-martins, @rc125, @sarahwernik, @scottshipman, @snoek8, @stoneddesigner, @tadinski, @Woeler, @yrammos

SHA1 for 2.14.0.zip = 1a926d8d3752c85bc3cc2543625d8762e44ca206
SHA1 for 2.14.0-update.zip = faab69da1ad5303523450195838e0ef126104832

Change Log

Enhancements

• #5958 Use a token for resetting a user password (@Dreiser)
• #5932 Added webhook unit tests (@escopecz)
• #5923 Added ivory coast to country list (@npracht)
• #5898 Add an index on date identified for the leads table (@alanhartless)
• #5635 Added ability to clone data slots in email and landing page builder (@GaberNeighbor)

Bugs

• #5984 Cleaned up DeviceModel dependencies (@Dreiser)
• #5979 Fixed a regression bug with batch API endpoints for new contacts that led to duplicates (@alanhartless)
• #5978 Fixed headers in contact CSV export (@alanhartless)
• #5976 Set all fields as listable to fix BC break in 2.13.0 (@escopecz)
• #5964 Fixed issue that caused points to be lost when merging contacts (@alanhartless)
• #5963 Fix for visitors not having a date created timestamp (@alanhartless)
• #5961 Fixed reports with campaign field used in groupBy but not in columns nor filters (@Maxell92)
• #5957 Fixed lost files after form delete (@Dreiser)
• #5944 Fixed tokens in CC and BCC emails when using SparkPost (@Maxell92)
• #5938 Stop email from sending when email is unpublished (@escopecz)
• #5927Disable SparkPost native click tracking and fixed reply to setting (@alanhartless)
• #5921 Fixed reports' items per page when the report contains group by (@Maxell92)
• #5908 Optimized the stat api (@escopecz)
• #5906 Fixed issue where unpublished custom fields were still visible in segments (@Dreiser)
• #5890 Fixed emails sent report with graphs (@Maxell92)
• #5882 Fixed emails report when adding any company field (@Maxell92)
• #5881 Fixed missing type namespace added to BodyParser (@escopecz)
• #5845 Fixed recursive call in WebhookQueueEvent.php (@hafeezhameed)
• #5792 Fixed exporting large number of form results (@kuzmany)

Developer Notes

A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @Dreiser, @escopecz, @Flavio1998, @GaberNeighbor, @galvani, @hafeezhameed, @johbuch, @kuzmany, @Maxell92, @npracht, @rowlandhill

SHA1: 330094d1017d164d08cf2f4143ed9ece039506c6

Security Notices

1. [CVE-2018-8092] Closed the possibility of a CSV injection with exported contact lists - https://www.owasp.org/index.php/CSV_Injection (Reported by @joanbono with Accenture’s Prague TVM Team)
2. [CVE-2018-8071] Closed a XSS vulnerability injected into the UI through the title of a dashboard widget (Reported by @joanbono with Accenture’s Prague TVM Team)
3. [CVE-2018-8071] Closed a XSS vulnerability injected into the UI through a theme config file (Reported by @joanbono with Accenture’s Prague TVM Team)
4. [CVE-2018-10189] Closed the possibility of hijacking sessions due to tracking contacts by an auto-incremented ID. This allowed 3rd party to systematically emulate sessions for contacts which could allow them to glean information about the contacts through a form leveraging progressive profiling. Contacts are now tracked by a unique device ID although the old cookies are still made available to the browser for BC purposes. (Reported by @micschk).

Note: The feature Identify visitor by tracking url is still subject to vulnerability number 4 above. New installations now have it disabled by default but existing installations had it enabled. Therefore, if you are not using this feature, have the email custom field set as publicly updatable, and are leveraging form progressive profiling, please disable Identify visitor by tracking url in Mautic's configuration's Tracking Settings.

(CVEs are pending)

Change Log

Features

• #5854 Added plugin support for 3rd party SMS transports (@galvani)
• #5797 Added new API endpoint to send a SMS to contact (@kuzmany)
• #5794 Added plugin to integrate with Zapier per their app requirements (@escopecz)
• #5644 Added ability to clone segments (@davevurby)
• #5379 Track the source that created and identified a contact (displayed in the contact's History timeline) (@Dreiser)
• #4800 New campaign condition based on a contact's campaign membership (@kuzmany)

Enhancements

• #5790 Display URL custom fields with hyperlinks (@heathdutton)
• #5730 Added support to add no-index header to landing pages (@kuzmany)
• #5667 Added support to add no-index header to assets (@kuzmany)
• #5715 Added chunking options to the broadcast command (@escopecz)
• #5611 Added support to update company fields in tracking code (@kuzmany)
• #5437 Implemented lead device tracking rather than contact ID tracking (@Dreiser)
• #4732 Option to set contact as the reply to for the send form results post submit action (@captivea-ylb)
• #5718 Updated vendors to latest patch versions (@escopecz)
• #5621 Require OpenSSL for new installations and removed mcrypt as required (@Dreiser)
• #5582 Improved campaign progress statistics user interface (@renjith341)

Bugs

• #5842 Fixed CRM not mapping company custom fields for new companies (@alanhartless)
• #5841 Fixed bug in SF that did not use the nextUrl when syncing more than 2K and use SystemModStamp instead of LastModifiedDate (@alanhartless)
• #5840 Only push companies for integration syncs if push is enabled (@alanhartless)
• #5838 Added custom field alias constraint for database special keywords to prevent query errors (@escopecz)
• #5835 Escape backslashes in company names (and just in case, contact emails) to prevent Salesforce query errors (@alanhartless)
• #5834 Fixed issue with batch deleting custom fields where schema remained intact (@alanhartless)
• #5812 Import command when delayed will return success instead of failure (@escopecz)
• #5807 Save email stats before sending to ensure stat is available for emails sent immediately (@alanhartless)
• #5804 Add lead to the log only after persisted to avoid cascade persist error (@escopecz)
• #5800 Fixed email tokens that did not hydrate company data (@alanhartless)
• #5762 Use appropriate for loop on preEventDeliveryQueue array instead of for…in (@dongilbert)
• #5758 Fix social login with automatic generate form html code (@kuzmany)
• #5754 Fixed case where special characters in forms embedded on landing pages may not show (@kuzmany)
• #5752 Fixed issue with extending forms where data was not passed to the FormField through the $options array (@kuzmany)
• #5750 Fixed setting contact's owner and stage via API (@escopecz)
• #5741 Fixed email dynamic content owner lookup (@kuzmany)
• #5735 Replace the use of eval-based JavaScript (@Flavien)
• #5702 Fixed the UI for Form Field properties tab (@kuzmany)
• #5701 Fixed problem with MailjetTransport header X-MJ-CUSTOMID (@XRaccourci)
• #5697 Fix pending count on segment email (@Dcoutelle)
• #5676 Prevented a PHP Notice, Undefined variable: companyFields (@escopecz)
• #5675 Update the contact's primary company name after company name changed (@kuzmany)
• #5666 Fixed API activity date filters (@Noa83)
• #5620 Fixed Froala code view editor where image CSS was getting stripped (@GaberNeighbor)
• #5616 Fixed multi-select field matching with SugarCRM (@stancel)
• #5599 Prevent errors if trying to execute subsequent actions for a contact just removed from a campaign (@kuzmany)
• #5551 Fix multiselect custom field in campaign condition (@kuzmany)
• #5545 Fixed vTiger mapping issue (@kuzmany)
• #5533 Fixed segmenting contacts based multi-select custom fields (@kuzmany)
• #5520 Prevented creating duplicate contacts through the API due to sanitizing unique identifiers after checking for existing (@escopecz)
• #5304 Fixed generated HTML for forms embedded into focus items (@kuzmany)
• #5291 Added Zoho unit tests (@Dcoutelle)
• #5258 Fixed syncing multi-select fields with Pipedrive (@kuzmany)

Developer notes

A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @brandner, @calevans, @captivea-ylb, @chendwww, @chrisinf, @coffeverton, @davevurby, @Dcoutelle, @dongilbert, @Dreiser, @dsp76, @escopecz, @Flavien, @GaberNeighbor, @galvani, @heathdutton, @joanbono, @johbuch, @justinfortes, @KaKite, @kuzmany, @manishbhatias, @micschk, @mMuck, @mrerich, @Noa83, @npracht, @renjith341, @rowlandhill, @sarahwernik, @stancel, @XRaccourci, @YannickBiet, @yourdigitalclub

SHA1: fc130eefbde2eb22a4d1de3aa5815b98c177d782

Security Notes

This release fixes 2 security vulnerabilities.

1. SQL injection vulnerability when fetching asset file size reported by Victor Odiah
2. AJAX POST requests CSRF vulnerability reported by Victor Odiah

Enhancements

• #5622 Add e-mail replies to contact timeline (@Dreiser)
• #5574 Remove deprecated leadfield token from wysiwyg (@Dreiser)
• #5512 Clean up countries list (@Dreiser)

Change Log

Bugs

• #5631 Added back empty value support for select fields (@alanhartless)
• #5607 Prevent Id from being part of the mapped fields when pushing to prevent errors (@alanhartless)
• #5603 Company fields selection in email sent report fix (@davevurby)
• #5601 Added missing reports filters columns (@kuzmany)
• #5597 Sendgrid or the API rejects the message with 400 bad request if the substitution value is not a string (@alanhartless)
• #5596 Do not use channel and channelId from channel_url_trackables to count… (@escopecz)
• #5594 Bug 280 chars for twitter (@escopecz)
• #5592 "IF NOT EXISTS" added to all "CREATE TABLE" migrations (@escopecz)
• #5588 Show error above the report form (@davevurby)
• #5580 Fix: Some report filters show just company fields (@kuzmany)
• #5577 Saving Page Settings fix (@escopecz)
• #5572 Update base.html.twig (@arturu)
• #5567 Support assigned field's list choices for companies in forms (@kuzmany)
• #5565 Dispatch events for Leads and Companies created by Pipedrive (@alanhartless)
• #5558 Fix: Domain match when submitting form when Mautic is installed in subfolder (@chrisschrijver)
• #5557 Set constraint on subject field in email form (@davevurby)
• #5555 Small fix for preUp check in migration (@chrisschrijver)
• #5548 New themes actions fixes (@escopecz)
• #5540 Prevent conditions connected into the "inaction/negative/red" path of a decision from being evaluated if the contact went down the "action/positive/green" path (@alanhartless)
• #5534 Fixes #5532 problem with MailjetTransport header X-MJ-CUSTOMID (@XRaccourci)
• #5529 Stats should not be saved for emails sent to users by default (@alanhartless)
• #5526 Prevent SQL error when processing bad email address (@alanhartless)
• #5518 Retry updating SF locked records several times before giving up and fixed campaign segment sync (@alanhartless)
• #5517 Properly escape links in email click campaign decisions (@alanhartless)
• #5516 Don't encode special chars when importing values (@alanhartless)
• #5513 Escape input values (@escopecz)
• #5511 Fixes #5458 problem with lists. Thanks @XRaccourci (@dbhurley)
• #5510 Added missing state, Telangana. Thanks @farmnest (@dbhurley)
• #5508 Fixed typos. Fixes #3762. Thanks @mtahiue (@dbhurley)
• #5507 Removed '-' from theme config. Fixes #5492. Thanks @kolinz (@dbhurley)
• #5489 Fix: Builder Froala popup scroll issue (@kuzmany)
• #5484 changed length for the varchar's redirect_url column of Page entity. (@Noa83)
• #5463 Fix url for installer (@hason)
• #5397 Fix SMS Do Not Contact (@mikerowe81)
• #5349 Fix FormBundle\EventListener\FormSubscriber logic when lead is null. (@shulard)
• #5303 Push lead owner to Sugar CRM through forms and campaigns (@MaxWebmecanik)
• #5260 [Bugfix] Preference page loading (@dongilbert)
• #5033 LeadFieldData set type correctly for comparison with textarea (@phil-davis)

Developer

SHA1: 081b467829b9cc3ddb81f90d855e31e9da6535ab

A big thank you to the following community members for contributing to this release either by code or bug report: @4evermaat, @alanhartless, @arturu, @chrisschrijver, @davevurby, @dbhurley, @dongilbert, @Dreiser, @escopecz, @gingerling, @hason, @johbuch, @kuzmany, @marcel-ambta, @matishaladiwala, @Maxell92, @MaxWebmecanik, @mikerowe81, @Noa83, @npracht, @phil-davis, @sarahwernik, @shulard, @thomeudt, @XRaccourci

Change Log

Enhancements

• #5412 Sendgrid API (@Maxell92)
• #5434 UX fix: Campaign action buttons (@kuzmany)
• #5414 Ignore queue mode for send email action (@kuzmany)
• #5407 Add support for a channel subscription webhook (@alanhartless)
• #5405 Changed pending email query structure to improve speed (@howlinghuffy)
• #5384 Refactored mail transport callbacks (fixes Sparkpost issue with immediate feedback) (@alanhartless)
• #5293 Updating tooltip (@lvnilesh)
• #5092 Correct end app-footer (@phil-davis)
• #5060 Calculate fake import start from import end (@phil-davis)
• #5031 Pass table name on which to drop index (@phil-davis)
• #4915 Changing with from px to % on the builder (@zhakid)
• #4883 Changes email frequency field to number type (@robwent)

Bugs

• #5477 Sparkpost attachment - fixed bug when attachment was not send (@Maxell92)
• #5472 Fixed two segment membership based errors with companies (@alanhartless)
• #5450 Fixed is:mine command and added user session support for functional tests (@alanhartless)
• #5446 Prevent reference ID error with push SF activities for point changes and other timeline events (@alanhartless)
• #5440 Prevent array to string conversion error with form selects mapped to Contact state (@alanhartless)
• #5439 Prevent JS errors when custom validation callbacks are used (@alanhartless)
• #5427 Fixed ConnectWise bug that fetched only 25 of anything (@alanhartless)
• #5425 Remove clone button from segments (@alanhartless)
• #5424 Mapped company when pushing to Connectwise causes error (@alanhartless)
• #5422 Fix file naming for SSH upgrades. (@dongilbert)
• #5419 Fixes #5227 Rearranged call to fixValueType (@dbhurley)
• #5411 fix relative year segment filter (@Dcoutelle)
• #5410 Better Fix for #5403 problem with DNC email graphs (@dbhurley)
• #5408 Support csv files with Mac legacy line endings (\r) in background imports (@alanhartless)
• #5402 Bug api entities order (@escopecz)
• #5399 php-cs-fixer - update windows hook (@kuzmany)
• #5396 Prevent creating duplicate contacts in the contacts/batch/new (@alanhartless)
• #5393 DateModified is set when changing tweet text or name (@escopecz)
• #5382 grunt-remove is required for build process (@isleshocky77)
• #5375 Fix: startsWith, endsWith, contains in campaign contact field condition (@kuzmany)
• #5370 On edit if entity locked stay on the same page, provided referer is available (@renjith341)
• #5366 Fix: Checkbox group in form return bool (@kuzmany)
• #5361 Fix user permission class for BuilderTokenHelper (@dongilbert)
• #5360 Enhance Dynamic Content (@dongilbert)
• #5350 Fix: Custom field doesn't update Mautic custom field after create/update on Pipedrive (@kuzmany)
• #5338 Don't return unpublished dynamic content when displaying on site. (@dongilbert)
• #5336 Adding better error messages synccontacts command (@isleshocky77)
• #5334 Fix: Reports bounced columns (@kuzmany)
• #5333 Fix connectwise API to map contact company. (@dongilbert)
• #5299 Change hit comparison from exact to equals-or-more (@micschk)
• #5296 Update PointActionHelper to use wildcard URL from Point Action instead of exact URL from hit event (@micschk)
• #5259 Fix: Empty contact field value set to null on edit (@kuzmany)
• #5257 Fixed error in FocusModel where clicks and submissions were for all f… (@maltonite)
• #5255 Modifed Notification/parent.less.php in focus bundle to stop error of… (@maltonite)
• #5233 Missing Translations for Top Lists Dashboard Widget (@isleshocky77)
• #5216 Fix: Contacts API doesn't return stage metadata for contact (@kuzmany)
• #5070 Fix encode in webhook campaign action. (@VitorSavedra)
• #5022 Modified AbstractIntegration to handle $settings['curl_options'] as expected (@cklingsporn)

Developer Info

SHA1 Hash: 68eae0b27442b32f24d41cb4bea8fbfaa2f9772e

A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @cklingsporn, @dantearaujo, @dbhurley, @Dcoutelle, @dongilbert, @escopecz, @howlinghuffy, @isleshocky77, @johbuch, @justinfortes, @kuzmany, @luizeof, @lvnilesh, @maltonite, @Maxell92, @micschk, @phil-davis, @RCheesley, @renjith341, @robwent, @VitorSavedra, @zhakid