CSM 10.1.0 Security Updates

CSM 10.1.0 Security Updates: this list describes security enhancements and fixes that were reported in previous releases.

Cherwell recommends that you upgrade to this version to ensure the security of your installation.

Machine-level Permissions/System Vulnerabilities

CSM-61531 Security Vulnerability: The server wasn't validating file extensions when filtering attachments. Browser, Desktop Client and One-Step Action transfer attachments now all validate the allowed file extensions on the server using their metadata. All email attachments and record attachments are now verified to help prevent cross-site scripting attacks.
CSM-62591 Security Vulnerability: Updated the One-Step Action execution in the CSM Portal. It now determines if there are any edit commands in One-Step Actions, and then requests a license before allowing One-Step Actions to execute.
CSM-63117 Security Vulnerability: Fixed an issue where the CSM Desktop Client would launch an attachment even though the user's security group did not grant them permission to do so.
CSM-64050 Security Vulnerability: Upload to One-Step Action file contents Token prompt now restricted to only files types specified in prompt.
CSM-64322 Security Vulnerability: ShowLogin and CancelLogin APIs are now protected against Cross Site Request Forgery (CSRF) and cross-domain referer leakage.
DR 50347 Security Vulnerability: Fixed an issue where the CSM Portal allowed an anonymous login to give access to a REST API operation. Permissions are now checked for the REST API to verify rights against the requested Scope

CSM-56991 Security Vulnerability: Fixed an issue where HTML tags within Knowledge Article titles were not being encoded when rendered in a list. This helps to prevent cross-site scripting attacks.
CSM-57127 Security Vulnerability: Fixed an issue with displaying change titles on IT calendar. This helps to prevent cross-site scripting attacks.
CSM-60618: Security Vulnerability: Removed XML as a stored file type that is opened in the browser by default. This helps to prevent cross-site scripting attacks.
CSM-62655 Security Vulnerability: Fixed an issue where modifying the download link for an attachment can result in the attachment being downloaded as an incorrect file type due to changing the extension. This fix helps to prevent cross-site scripting attacks.
DR 50295 Security Vulnerability: Fixed a security issue with URL links reflecting script code through the tab ID.

CSM-57785 Security Groups: Added the ability to specify a default email address for a Security Group. This will override the global default email address, but not a user's default email address.

CSM-53360 Security: Fixed an issue where a user would need to manually remove an uploaded file containing an error (by clicking the X) before the upload control would proceed. Now, the upload modal will automatically remove the file(s) with errors when the user selects new files to upload. The user can still remove the file with the error manually by clicking the X.
CSM-59222 Security: Updated the Change Password and Login pages on the Rest API to not submit password values as clear text. They are encoded on the client and then decoded on the server.
DR 1149 Security: In CSM Administrator, on the Security Settings window > Cherwell Credentials page, you can select the "Enforce Windows complexity rules" check box to require that passwords be complex for Cherwell Users and/or Cherwell Customers. If you clear this check box and subsequently reset a Cherwell User password when on a 3-tier connection, the user is now able to log in using the new Cherwell credentials, as expected.
DR 44643 Security: Added the ability to restrict access to email accounts by Security Group.