Skip to content

3.2.0.4

Choose a tag to compare

View all tags
@nilsteampassnet nilsteampassnet released this 29 Jun 05:50
· 4 commits to master since this release
3.2.0.4
c71631e
This commit was signed with the committer’s verified signature.
nilsteampassnet Nils Laumaillé
GPG key ID: 363891EBFA889E9C
Verified
Learn about vigilant mode.

What's Changed

This maintenance release fixes two security issues, makes inactive-user management aware of API activity, restores the encrypted offline HTML export, reworks multi-factor enrollment, and removes a large amount of dead code.

🔒 Security

  • Fix stored XSS on the One-Time View page (GHSA-cpgh-9h3x-r8gm). The item url, login, password and label were rendered without output encoding. They are now escaped with htmlspecialchars() on output, and javascript:, data: and vbscript: URL schemes are rejected on write.
  • Fix an inverted administrator authorization check in the admin backend (GHSA-fhm7-pf6p-prgg), where the guard denied legitimate admins instead of blocking non-admins. The 11 unreachable admin handlers behind it (DB backup/restore/optimize, cache reload, salt-key rotation, …) were removed.

✨ Features & improvements

  • Inactive-user management now accounts for API usage (PR #5254 / #5257) Functional API actions (item view/create/update/delete/import) are recorded as real activity, so users who only work through the API are no longer wrongly flagged as inactive. The "Never connected" label becomes "No recorded activity", and the admin dashboard now shows the number of API-connected users.
  • Multi-factor authentication rework (PR #5253) Cleaner retrieval and validation of enabled MFA methods after primary authentication, a Google Authenticator (TOTP) enrollment flow for users without a secret yet, an MFA reset path, and a count of enabled methods.
  • Offline HTML export restored and hardened. Export → HTML now produces a single self-contained, password-protected file encrypted with WebCrypto AES-256-GCM (key derived via PBKDF2-SHA256, 250k iterations), replacing the former weak GibberishAES flow. The built-in viewer offers per-row reveal/copy, search, and an auto-lock countdown (1/5/15/30/60 min). Gated by the existing settings_offline_mode / offline_key_level settings.
  • Renewal page redesign (PR #5256) with an AdminLTE-style layout, rebuilt DataTables, and a native clear-date button.
  • Improved styling (PR #5259) for the backups tables and status indicators.
  • Login session key resync: on a session-key decode failure the page reloads once (guarded against reload loops) instead of failing.

🐛 Bug fixes

  • CSV import no longer drops items. The folder phase looped over folder count instead of item rows, leaving later items with no folder; the <br> multi-line merge silently discarded records. Imports now walk every row (RFC 4180), preserve passwords verbatim, reuse an existing folder under the same parent, and always report a clear reason on failure.

🧹 Removed

  • API key list and IP whitelist settings tabs (legacy type='key' / type='ip' API keys, unused by the current API).
  • Recovery-keys download (PR #5255) from My Profile (Keys tab, download dialog/action and the related warning toggle) — dead code.
  • Dead MFA fallback path (PR #5253)

Full Changelog

Full Changelog: 3.2.0.3...3.2.0.4

Important

  • Requires at least PHP 8.2

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

Download TeamPass

Assets 3
Loading