@alanhartless alanhartless released this Dec 7, 2017 · 2351 commits to staging since this release

Assets 4

Security Notes

This release fixes 3 security vulnerabilities. (CVEs pending)

  1. [CVE-2017-1000490] Closed a vulnerability in Filemanager that allowed an authorized Mautic user to download any file from the web server that the web user had access to using ....// in the URL's path GET parameter. It was only possible to leverage this vulnerability if already logged into Mautic. Reported by @pahan12

  2. [CVE-2017-1000489] If using a 3rd party SSO plugin, it was possible to still login if email address matched even if the user was disabled. This is now fixed to deny access to disabled users logging in through SSO.

  3. [CVE-2017-1000488] Closed an inline JS XSS vulnerability in Mautic landing pages with a Mautic form embedded. Using the feature to pre-populate form values using GET parameters, it was possible to inject script using something like ?first_name=%22%20onfocus=%22alert(123).

Change Log


  • #4312 #5342 Merge twitter contacts by matching name (@Woeler)
  • #5331 Option to Include company fields in contact related data sources
  • #5311 New selection of responsive email and landing page themes
  • #5205 Schedule reports to be emailed
  • #5204 New contact tag management API endpoints
  • #5194 New campaign decision based on contact email replies
  • #5176 A new segment detail view to give insight into what contacts were added by filter versus manually managed
  • #5159 Click to view contacts for web/mobile notifications and SMS
  • #5157 New report based on segment membership
  • #4920 Add option to sync do not contact status' between Salesforce and Mautic based on whichever one was last modified



  • #5189 Form submission supports zero as a valid value (@kuzmany)
  • #5156 Fix EN translation strings found while translating to ES (@joebordes)
  • #5365 Fixed issue where integration DNC was mapped as DoNotContact entity preventing pushing DNC status to integration
  • #5101 Fix unit test warnings (@phil-davis)
  • #5327 Fixes a couple mailer issues unique to AbstractTokenArrayTransport with a batch recipient limit of 1
  • #5320 Prevented a notice from the SF integration unit tests
  • #5302 Fixed campaign preview horizontal overflow (@kuzmany)
  • #5282 Fixed imports creating duplicates when email field is publicly updatable (@Dcoutelle)
  • #5280 Fixed focus cookie path (@kuzmany)
  • #5265 Fixed Javascript loop causing browser to lock up in Page Builder
  • #5261 Fixed import when --limit is used where the second run will skip the batch
  • #5244 Fixed several SugarCRM sync bugs
  • #5215 Fixed custom field values not populating in form builder for "select" fields
  • #5212 Fixed reports paginator and emails date range filter
  • #5197 Avoid data too long errors in db when fetching from integration
  • #5196 Fixed broken report widget
  • #5191 Fixed duplicate points on form action where company field present (@kuzmany)
  • #5160 Fixed Salesforce EntityNotFoundException when a record is locked
  • #5061 Fixed notification title and loop bugfix (@kuzmany)
  • #4894 Fixed tracking error in IE11 on asp.net sties (@Dcoutelle)

Developer Info

SHA-1: 30845246e5315469bbcbe5f4c96852ce10c5d534

A big thank you to the following community members for contributing to this release either by code or bug report: @Dcoutelle, @IncrentaDev, @joebordes, @kuzmany, @MaxWebmecanik, @micschk, @phil-davis, @rahulwalunje, @Woeler