Versions Compared

Old Version 9

changes.mady.by.user Srikanth Adiga

Saved on

compared with

New Version Current

changes.mady.by.user Vinayak Pawar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For  more details refer: User managementManagement 

Active Users' Report

Super administrators can view and generate active users' report for a specific time interval. This is useful to understand the usage of OpenSpecimen at a center especially when multiple users from different groups are using the instance.

...

In previous version, the date/time fields in the query results, exported CSV files, and the custom DE fields were formatted using the server time zone. This works fine when both the server and the end-users are in the same time zone. But there might be studies which have users operating from different time zones. To support this, OpenSpecimen now formats the date/time field values using the user time zone. This will ensure the date/time is displayed in all places in OpenSpecimen based on what is entered by the user.

Security fixes

The release build v6.2.RC2 has some very important security fixes. The security vulnerabilities that are fixed in this release build are listed below:

1. Cross-site request forgery: The attacker performs unwanted OpenSpecimen activities using the authentication session without the user's knowledge or interaction. The attacker exploits OpenSpecimen's trust in the user's browser.

2. Potential cross-site scripting: The attacker uses OpenSpecimen to send malicious code in the form of JavaScript to unsuspecting users. The end user's browser executes the script, which can result in revealing cookies, tokens and other sensitive information used by the browser for communication with OpenSpecimen. The attacker exploits the browser's trust in OpenSpecimen.

3. Unsafe cross-origin destination: When the end-users add links to external websites (as in CP SOP) that are affected by malicious code, then the affected website can trick the OpenSpecimen users to reveal the sensitive information and further spread the malicious code.

4. CSV injection: In this attack, disgruntled OpenSpecimen users (Biobank staff) upload specially crafted data that allows them to execute malicious code on other users' computers when the victims export and open the CSV data file.

5. Unrestricted file uploads: In this attack, disgruntled OpenSpecimen users (Biobank staff) upload malicious code files (.exe) that are executed on other users' computers when the victims click or download the file links.

REDCap Integration Improvements

...