2.13.0
Security Notices
- [CVE-2018-8092] Closed the possibility of a CSV injection with exported contact lists - https://www.owasp.org/index.php/CSV_Injection (Reported by @joanbono with Accenture’s Prague TVM Team)
- [CVE-2018-8071] Closed a XSS vulnerability injected into the UI through the title of a dashboard widget (Reported by @joanbono with Accenture’s Prague TVM Team)
- [CVE-2018-8071] Closed a XSS vulnerability injected into the UI through a theme config file (Reported by @joanbono with Accenture’s Prague TVM Team)
- [CVE-2018-10189] Closed the possibility of hijacking sessions due to tracking contacts by an auto-incremented ID. This allowed 3rd party to systematically emulate sessions for contacts which could allow them to glean information about the contacts through a form leveraging progressive profiling. Contacts are now tracked by a unique device ID although the old cookies are still made available to the browser for BC purposes. (Reported by @micschk).
Note: The feature Identify visitor by tracking url is still subject to vulnerability number 4 above. New installations now have it disabled by default but existing installations had it enabled. Therefore, if you are not using this feature, have the email custom field set as publicly updatable, and are leveraging form progressive profiling, please disable Identify visitor by tracking url in Mautic's configuration's Tracking Settings.
(CVEs are pending)
Change Log
Features
- #5854 Added plugin support for 3rd party SMS transports (@galvani)
- #5797 Added new API endpoint to send a SMS to contact (@kuzmany)
- #5794 Added plugin to integrate with Zapier per their app requirements (@escopecz)
- #5644 Added ability to clone segments (@davevurby)
- #5379 Track the source that created and identified a contact (displayed in the contact's History timeline) (@dreiser)
- #4800 New campaign condition based on a contact's campaign membership (@kuzmany)
Enhancements
- #5790 Display URL custom fields with hyperlinks (@heathdutton)
- #5730 Added support to add no-index header to landing pages (@kuzmany)
- #5667 Added support to add no-index header to assets (@kuzmany)
- #5715 Added chunking options to the broadcast command (@escopecz)
- #5611 Added support to update company fields in tracking code (@kuzmany)
- #5437 Implemented lead device tracking rather than contact ID tracking (@dreiser)
- #4732 Option to set contact as the reply to for the send form results post submit action (@captivea-ylb)
- #5718 Updated vendors to latest patch versions (@escopecz)
- #5621 Require OpenSSL for new installations and removed mcrypt as required (@dreiser)
- #5582 Improved campaign progress statistics user interface (@renjith341)
Bugs
- #5842 Fixed CRM not mapping company custom fields for new companies (@alanhartless)
- #5841 Fixed bug in SF that did not use the nextUrl when syncing more than 2K and use SystemModStamp instead of LastModifiedDate (@alanhartless)
- #5840 Only push companies for integration syncs if push is enabled (@alanhartless)
- #5838 Added custom field alias constraint for database special keywords to prevent query errors (@escopecz)
- #5835 Escape backslashes in company names (and just in case, contact emails) to prevent Salesforce query errors (@alanhartless)
- #5834 Fixed issue with batch deleting custom fields where schema remained intact (@alanhartless)
- #5812 Import command when delayed will return success instead of failure (@escopecz)
- #5807 Save email stats before sending to ensure stat is available for emails sent immediately (@alanhartless)
- #5804 Add lead to the log only after persisted to avoid cascade persist error (@escopecz)
- #5800 Fixed email tokens that did not hydrate company data (@alanhartless)
- #5762 Use appropriate for loop on preEventDeliveryQueue array instead of for…in (@dongilbert)
- #5758 Fix social login with automatic generate form html code (@kuzmany)
- #5754 Fixed case where special characters in forms embedded on landing pages may not show (@kuzmany)
- #5752 Fixed issue with extending forms where
datawas not passed to the FormField through the$optionsarray (@kuzmany) - #5750 Fixed setting contact's owner and stage via API (@escopecz)
- #5741 Fixed email dynamic content owner lookup (@kuzmany)
- #5735 Replace the use of eval-based JavaScript (@Flavien)
- #5702 Fixed the UI for Form Field properties tab (@kuzmany)
- #5701 Fixed problem with MailjetTransport header X-MJ-CUSTOMID (@XRaccourci)
- #5697 Fix pending count on segment email (@Dcoutelle)
- #5676 Prevented a PHP Notice, Undefined variable: companyFields (@escopecz)
- #5675 Update the contact's primary company name after company name changed (@kuzmany)
- #5666 Fixed API activity date filters (@Noa83)
- #5620 Fixed Froala code view editor where image CSS was getting stripped (@GaberNeighbor)
- #5616 Fixed multi-select field matching with SugarCRM (@stancel)
- #5599 Prevent errors if trying to execute subsequent actions for a contact just removed from a campaign (@kuzmany)
- #5551 Fix multiselect custom field in campaign condition (@kuzmany)
- #5545 Fixed vTiger mapping issue (@kuzmany)
- #5533 Fixed segmenting contacts based multi-select custom fields (@kuzmany)
- #5520 Prevented creating duplicate contacts through the API due to sanitizing unique identifiers after checking for existing (@escopecz)
- #5304 Fixed generated HTML for forms embedded into focus items (@kuzmany)
- #5291 Added Zoho unit tests (@Dcoutelle)
- #5258 Fixed syncing multi-select fields with Pipedrive (@kuzmany)
Developer notes
A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @brandner, @calevans, @captivea-ylb, @chendwww, @chrisinf, @coffeverton, @davevurby, @Dcoutelle, @dongilbert, @dreiser, @dsp76, @escopecz, @Flavien, @GaberNeighbor, @galvani, @heathdutton, @joanbono, @johbuch, @justinfortes, @KaKite, @kuzmany, @manishbhatias, @micschk, @mMuck, @mrerich, @Noa83, @npracht, @renjith341, @rowlandhill, @sarahwernik, @stancel, @XRaccourci, @YannickBiet, @yourdigitalclub
SHA1: fc130eefbde2eb22a4d1de3aa5815b98c177d782