Versions Compared

Old Version 9

changes.mady.by.user Srikanth Adiga

Saved on

compared with

New Version 10

changes.mady.by.user Vinayak Pawar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In previous version, the date/time fields in the query results, exported CSV files, and the custom DE fields were formatted using the server time zone. This works fine when both the server and the end-users are in the same time zone. But there might be studies which have users operating from different time zones. To support this, OpenSpecimen now formats the date/time field values using the user time zone. This will ensure the date/time is displayed in all places in OpenSpecimen based on what is entered by the user.

Security fixes

The release build v6.2.RC2 has some very important security fixes. The security vulnerabilities that are fixed in this release build are listed below:

1. Cross site request forgery: The attacker performs unwanted OpenSpecimen activities using the authentication session without user's knowledge or interaction. The attacker exploits OpenSpecimen's trust on the user's browser.

2. Potential cross-site scripting: The attacker uses OpenSpecimen to send malicious code in the form of JavaScript to unsuspecting users. The end user's browser executes the script, which can result in revealing of cookies, tokens and other sensitive information used by the browser for communication with OpenSpecimen. The attacker exploits the browser's trust on OpenSpecimen.

3. Unsafe cross-origin destination: When the end users add links to external websites (as in CP SOP) that are affected by malicious code, then the affected website can trick the OpenSpecimen users to reveal the senstive information and further spread the malicious code.

4. CSV injection: In this attack, disgruntled OpenSpecimen users (Biobank staff) upload specially crafted data that allows them to execute malicious code on other users' computers when the victims export and open the CSV data file.

5. Unrestricted file uploads: In this attack, disgruntled OpenSpecimen users (Biobank staff) upload malicious code files (.exe) that is executed on other users' computers when the victims click or download the file links.

REDCap Integration Improvements

...