Security Updates
All security-relevant changes from the latest BCS releases
The regular installation of updates is one of the most important security measures that users should pay attention to. We are constantly working to identify potential security vulnerabilities and fix them immediately. Updates to our software therefore always include bug fixes and eliminated security risks. Therefore, update your BCS installation regularly in order to be protected against potential risks in the best possible way.
Secure with the latest BCS version
It's worth updating to the latest BCS version! The latest BCS version always contains the fixes to security gaps made in previous releases.
We evaluate the vulnerability of the fixed vulnerabilities according to the Common Vulnerability Scoring System (CVSS). This is a method that provides a qualitative rating of severity. CVSS is not a measure of risk. CVSS consists of three metric groups: Base, Temporal and Environmental. The base metrics result in a score between 0 and 10, which can then be modified by scoring the temporal and environmental metrics.
The color coding of the severity level is based on the ratings given in the CVSS v3.0 specification:
Severity | Color coding | Severity Score Range |
---|---|---|
None | CVSS-Score | 0.0 |
Low | CVSS-Score | 0.1 - 3.9 |
Medium | CVSS-Score | 4.0 - 6.9 |
High | CVSS-Score | 7.0 - 8.9 |
Critical | CVSS-Score | 9.0 - 10.0 |
Projektron BCS 24.1
Description | Vulnerability (CVSS-Score) | Backported to |
---|---|---|
Der Apache Tomcat, which is supplied as standard with the installation via the Projektron BCS Installer, has been updated to version 9.0.90. This closes a security gap. We recommend that you also update the Apache Tomcat in your installation to the version specified in the installation requirements. As Tomcat should only be used for Projektron BCS, unnecessary parts of the installation should be removed when updating Apache Tomcat. Please remove files and directories in the /tomcat/webapps/ directory to avoid problems in connection with Tomcat sample files. Further information on the update can be found on the Projektron support server in FAQ entry 449. | CVSS-Score 7.5 | 23.2 |
Fixes a security vulnerability in a Javascript library used by BCS. | CVSS-Score 7.5 | 23.2 |
Fixes security vulnerabilities in various Java libraries that are required for email import with Microsoft Graph. | CVSS-Score 5.5 | 23.4 |
A bug has been fixed that made it possible to recognize absences as vacation or sick leave dates in a view without the necessary permission. | CVSS-Score 3.5 | 23.2 |
Projektron BCS 23.4
Description | Vulnerability (CVSS-Score) | Backported to |
---|---|---|
Fixes security vulnerabilities in various Java libraries required for email import with Microsoft Graph.. | CVSS-Score 5.5 | |
Fixes a security vulnerability in a Javascript library used by BCS. | CVSS-Score 7.5 | 23.3 |
Fixes a vulnerability in a Java library used by Projektron BCS for e-invoices. | CVSS-Score 8.1 | 23.1 |
Fixes several security vulnerabilities in a Java library used by Projektron BCS to manage TLS/SSL certificates. | CVSS-Score 7.5 | 23.3 |
Fixes an XSS vulnerability that could be exploited with elevated privileges. | CVSS-Score 4.6 | 23.1 |
A security vulnerability in the context of the appointment agenda has been fixed, where the subject of a restrictedly visible appointment could be determined. | CVSS-Score 5.3 | 23.1 |
A security vulnerability in the exports of vCards has been fixed. | CVSS-Score 5.1 | 23.1 |
Security vulnerabilities in a Java library used by Projektron BCS have been fixed, which could occur under certain circumstances when backing up and restoring Projektron BCS. | CVSS-Score 5.5 | 23.2 |
Projektron BCS 23.3
Description | Vulnerability (CVSS-Score) | Backported to |
---|---|---|
The vulnerability CVE-2024-25710 has been fixed by an update of the Java library Apache Commons Compress used by Projektron BCS, which is primarily used for packing and unpacking the Projektron BCS backup. | CVSS-Score 5.5 | 23.2 |
The vulnerability CVE-2024-26308 has been fixed by an update of the Java library Apache Commons Compress used by Projektron BCS, which is primarily used for packing and unpacking the Projektron BCS backup. | CVSS-Score 5.5 | 23.2 |
A bug has been fixed that could prevent users from being logged out if their login permission changes. | CVSS-Score 1.0 | - |
This entry is only relevant if you use the project e-mail import with subversion integration.When importing emails with SVN integration enabled, it was potentially possible to import commit objects that did not correspond to actual SVN commits. The prerequisite for this is that an attacker is able to send any emails to the email import account. To prevent this, a secret is now required for SVN integration. Further information on this can be found in the administration documentation in the chapter "Subversion Integration". | CVSS-Score 3.9 | - |
Projektron BCS 23.2
Description | Vulnerability (CVSS-Score) | Backported to |
---|---|---|
Fixes a security vulnerability in the BPMN area, so this entry is only relevant if you have activated the BPMN module. | CVSS-Score 8.0 | 22.3 |
If a user received the permissions to a ticket exclusively via a query, it was possible to continue receiving email notifications for this ticket even after the query had been answered. This has been fixed. In the course of this, the behaviour of the field "More email addresses" on tickets was changed. Previously, BCS searched for a person belonging to this email address and, if a person was found, the email was sent to the main address of this person. This is no longer the case, the email address entered in the field is always used. | CVSS-Score 3.1 | 22.2 |
All security-related changes from previous releases
Projektron BCS 23.1
Projektron BCS 23.1
Description | Vulnerability (CVSS-Score) | Backported to |
---|---|---|
Fixes HTML injection gaps, that could occur when sending mails. | CVSS-Score 7.7 | 22.3 |
Fixes a security vulnerability in a Java libraryused by Projektron BCS in connection with the Microsoft 365 interface. | CVSS-Score 7.5 | 22.3 |
Fixes a security vulnerability in a Java library used by Projektron BCS to draw graphics on the server side.. | CVSS-Score 7.1 | 22.2 |
Fixes a persistent cross-site security vulnerability. | CVSS-Score 8.7 | 22.2 |
Fixes a security loophole in a Javascript library used by Projektron BCS that does not directly affect Projektron BCS. An update is nevertheless recommended. | CVSS-Score 9.8 | 22.1 |
Eliminates a security loophole in one of the Java libraries used by Projektron BCS. | CVSS-Score 6.2 | 22.1 |
Fixes two persistent cross-site scripting loopholes.. | CVSS-Score 8.7 | 22.1 |
Projektron BCS 22.4
Projektron BCS 22.4
Description | Vulnerability (CVSS-Score) | Backported to |
---|---|---|
Fixes a reflected cross-site scripting loophole. | CVSS-Score 6.1 | 22.1 |
Fixes a security vulnerability in a Java library used by Projektron BCS that can lead to a Denial of Service. | CVSS-Score 7.5 | 22.1 |
Eliminates a security loophole in one of the JavaScript libraries used by Projektron BCS. | CVSS-Score 7.5 | 22.1 |
Eliminates two security loopholes in two libraries used by Projektron BCS to import and send emails via the Microsoft Graph interface. | CVSS-Score 7.5 | 22.1 |
Eliminates a security loophole in one of the Javascript libraries, used by Projektron BCS which is not used directly by Projektron BCS. Nonetheless, updating Projektron BCS is recommended. | CVSS-Score 7.5 | 22.1 |
Projektron BCS 22.3
No security vulnerabilities were identified in this version.
Projektron BCS 22.2
Projektron BCS 22.2
Description | Vulnerability (CVSS-Score) | Backported to |
---|---|---|
Eliminates a security loophole in one of the Java libraries used by Projektron BCS, which is used in multiple views in various Projektron BCS areas. | CVSS-Score 7.5 | 22.1 |