RPM-1098 Fixed a server-side request forgery (SSRF) vulnerability on custom handlers. CVSSv3.1 score 6.5 (Medium). Application Runtime Data Access and Manipulation Fix Details:To protect our customers we're not providing further details on the issue.
RPM-1172 Fixed an issue that caused the logs of mobile apps to have an incorrect timestamp. Application Runtime Logging Fix Details:The logs related to mobile apps, as shown in Service Center, were sometimes presenting a timestamp that was deviated from the actual time the event occurred. This could cause the events on the logs not to reflect the order in which they actually occurred, making it harder to understand the logs and troubleshoot a mobile app. The behavior was fixed and the timestamp of the logs now reflects the exact time of the event.
RPM-1265 Fixed an issue that sometimes caused the Environment Information not to be filled in the Service Center error logs. Application Runtime Logging Fix Details:The issue would sometimes manifest when the device running the mobile app was offline and an error occurred. When the device comes online, the information is sent to the server to log. The log was written, however, the Environment Information field as seen in the error log detail didn't contain any data. Such information is useful to provide the runtime context in which the error occurred. This issue didn't cause any impact on the mobile app's normal usage nor on the end-user experience.
RPM-1308 Fixed an issue in PWA applications where splash screens would hang on iOS 14.6 devices. Application Runtime Application Distribution Fix Details:According to https://www.theregister.com/2021/06/16/apple_safari_indexeddb_bug/ Apple's WebKit team has managed to break the popular IndexedDB JavaScript API in the latest version of Safari (14.1.1) on macOS 11.4 and iOS 14.6.
RPM-1352 Fixed broken references errors to indirect producers after an upgrade to Platform Server 11.12.1 or higher. Publish Operation Fix Details:After upgrading to 11.12.1 and publishing a module, runtime errors due to incompatible definitions might occur. The issue would occur when a consumer module A is using a producer module B and that producer, in turn, has a producer C that references an extension E. In that case, module A would have errors about incompatibility with an Action from extension E.
RPM-1371 Fixed an issue that caused navigations to the previous screen to go back more screens than it should. Application Runtime Fix Details:On a Mobile or Reactive Web app, a screen that has a link that navigates to the previous screen would go instead to the screen before that. Effectively the navigation would send users to 2 screens before the screen they were on. More specifically, the wrong previous screen navigation occurs only after a navigation is performed on an OnInitialize event of a screen. The issue happens only with applications compiled on Platform Server version 11.12.0 or higher. It may happen on previous Platform Server versions, if the environment had the React 16 Technical Preview feature activated. The issue was fixed in this version and the wrong redirect will no longer occur.
RPM-599 Fixed an issue that caused disabled Scheduler services to pick up events and email tasks that they would not process. This also caused a permanent warning displayed on the monitoring pages. Application Lifecycle Service Center Fix Details:When configuring the servers it is possible to disable BPT processing for specific servers. This issue caused some events to be picked up during the disabled schedulers startup but never processed. The issue does not exist if all servers are allowed to execute BPT.
RPM-728 Fixed an integrated authentication vulnerability in OutSystem Cloud environments. CVSSv3.1 score 5.5 (Medium). Cloud Paas Fix Details:Fixed a vulnerability that would allow, in the OutSystems Cloud, users with access to the underlying infrastructure to be able to access applications developed in the environment. The vulnerability was fixed so that it no longer allows privileged users with infrastructure access to log in to applications.
RPM-921 Fixed an issue that was preventing developers from using the Distribute tab in Service Studio. The issue would only manifest when Active Directory authentication was enabled for IT users. Service Studio Distribute Fix Details:For Mobile apps, accessing Distribute tab in Service Studio in an environment with Active Directory enabled for IT users, would result in an "Invalid user credentials" error, even if the credentials were correct. The issue would occur with a combination of a Platform Server version higher than 11.10.2 and Service Studio version 11.10.06 or higher.
RPM-997 Fixed multiple security risks on the documentation of a REST API by raising the handlebars.js used in the swagger UI. CVSSv3.1 score 6.5 (Medium). Application Runtime Logic Execution Fix Details:The auto-generated documentation of a REST API was using an outdated version of handlebars.js that has known vulnerabilities. Security tests would flag this. The handlebars.js version was raised to an updated version.