Security Updates
All security-relevant changes from the latest BCS releases
The regular installation of updates is one of the most important security measures that users should pay attention to. We are constantly working to identify potential security vulnerabilities and fix them immediately. Updates to our software therefore always include bug fixes and eliminated security risks. Therefore, update your BCS installation regularly in order to be protected against potential risks in the best possible way.
Secure with the latest BCS version
It's worth updating to the latest BCS version! The latest BCS version always contains the fixes to security gaps made in previous releases.
We evaluate the vulnerability of the fixed vulnerabilities according to the Common Vulnerability Scoring System (CVSS). This is a method that provides a qualitative rating of severity. CVSS is not a measure of risk. CVSS consists of three metric groups: Base, Temporal and Environmental. The base metrics result in a score between 0 and 10, which can then be modified by scoring the temporal and environmental metrics.
The color coding of the severity level is based on the ratings given in the CVSS v3.0 specification:
| Severity | Color coding | Severity Score Range |
|---|---|---|
| None |  | 0.0 |
| Low |  | 0.1 - 3.9 |
| Medium |  | 4.0 - 6.9 |
| High |  | 7.0 - 8.9 |
| Critical |  | 9.0 - 10.0 |
Projektron BCS 23.3
| Description | Vulnerability | Backported to | |
|---|---|---|---|
| Security vulnerabilities in a Java library used by Projektron BCS have been fixed that could occur under certain circumstances when backing up and restoring Projektron BCS. | | 5.5 | 23.2 |
| The vulnerability CVE-2024-25710 has been fixed by an update of the Java library Apache Commons Compress used by Projektron BCS, which is primarily used for packing and unpacking the Projektron BCS backup. | | 5.5 | 23.2 |
| The vulnerability CVE-2024-26308 has been fixed by an update of the Java library Apache Commons Compress used by Projektron BCS, which is primarily used for packing and unpacking the Projektron BCS backup. | | 5.5 | 23.2 |
| A security vulnerability in the export of vCards has been fixed. | | 5.1 | 23.1 |
| A bug has been fixed that could prevent users from being logged out if their login permission changes. | | 1.0 | - |
| This entry is only relevant if you use the project e-mail import with subversion integration. When importing emails with SVN integration enabled, it was potentially possible to import commit objects that did not correspond to actual SVN commits. The prerequisite for this is that an attacker is able to send any emails to the email import account. To prevent this, a secret is now required for SVN integration. Further information on this can be found in the administration documentation in the chapter "Subversion Integration". | | 3.9 | - |
Projektron BCS 23.2
| Description | Vulnerability | Backported to | |
|---|---|---|---|
| Fixes a security vulnerability in the BPMN area, so this entry is only relevant if you have activated the BPMN module. | | 8.0 | BCS 22.3 |
| If a user received the permissions to a ticket exclusively via a query, it was possible to continue receiving email notifications for this ticket even after the query had been answered. This has been fixed. In the course of this, the behaviour of the field "More email addresses" on tickets was changed. Previously, BCS searched for a person belonging to this email address and, if a person was found, the email was sent to the main address of this person. This is no longer the case, the email address entered in the field is always used. | | 3.1 | BCS 22.2 |
Projektron BCS 23.1
| Description | Vulnerability | Backported to | |
|---|---|---|---|
| Fixes HTML injection gaps that could occur when sending mails. | | 7.7 | BCS 22.3 |
| Fixes a security vulnerability in a Java library used by Projektron BCS in connection with the Microsoft 365 interface. | | 7.5 | BCS 22.3 |
| Fixes a security vulnerability in a Java library used by Projektron BCS to draw graphics on the server side. | | 7.1 | BCS 22.3 |
| Fixes a persistent cross-site security vulnerability. | | 8.7 | BCS 22.2 |
| Fixes a security loophole in a Javascript library used by Projektron BCS that does not directly affect Projektron BCS. An update is nevertheless recommended. | | 9.8 | BCS 22.1 |
| Eliminates a security loophole in one of the Java libraries used by Projektron BCS. | | 6.2 | BCS 22.1 |
| Fixes two persistent cross-site scripting loopholes. | | 8.7 | BCS 22.1 |
All security-related changes from previous releases
Projektron BCS 22.4
| Description | Vulnerability | Backported to | |
|---|---|---|---|
| Fixes a reflected cross-site scripting loophole. | | 6.1 | BCS 22.2 |
| Fixes a security vulnerability in a Java library used by Projektron BCS that can lead to a Denial of Service. | | 7.5 | BCS 22.1 |
| Eliminates a security loophole in one of the JavaScript libraries used by Projektron BCS. | | 7.5 | BCS 22.1 |
| Eliminates two security loopholes in two libraries used by Projektron BCS to import and send emails via the Microsoft Graph interface. | | 7.5 | BCS 22.1 |
| Eliminates a security loophole in one of the Javascript libraries used by Projektron BCS which is not used directly by Projektron BCS. Nonetheless, updating Projektron BCS is recommended. | | 7.5 | BCS 22.1 |
Projektron BCS 22.3
No security vulnerabilities were identified in this version.
Projektron BCS 22.2
| Description | Vulnerability | Backported to | |
|---|---|---|---|
| Eliminates a security loophole in one of the Java libraries used by Projektron BCS, which is used in multiple views in various Projektron BCS areas | | 7.5 | BCS 22.1 |
Projektron BCS 22.1
| Description | Vulnerability | |
|---|---|---|
| Eliminates security loopholes in multiple JavaScript libraries, which under certain circumstances could, for example, result in denial-of-service in the web browser. | | 6.5 |
| Eliminates a cross-site scripting security gap in the online help. Note: When updating Projektron BCS, it is especially important that the BCS_HOME/webapp/help directory and the documentation_de.zip and documentation_en.zip files contained therein are updated. This requires conducting the update via the projektron-bcs-22.1.1.zip archive and not via the projektron-bcs-22.1.1-no_docs.zip archive, as the latter archive does not contain any online help files. | | 8.2 |
| Eliminates the problem that persons who do not participate in appointments could view the agenda of an appointment with limited visibility under certain circumstances. | | 4.3 |
