This is the Security 14r1 Release Notes Document. It is an extract of the 14r1 Release Notes showing only the security fixes made. It can be used by security sensitive customers to decide whether an update of the innovaphone structure is needed with a new Service Release.

Service Releases are planned for the second Monday each month.

Please see the disclaimer before using the information presented here!

Security 14r1

14r1 Service Release 1 (1410485)

159317 - Advanced UI: Prevent XSL injection

The servlets for the advanced UI accept an "xsl" URL paramter that

specifies the XSLT file for displaying the corresponding page.

Before this fix it was possible to specify a URL containing a colon represented in XML entity encoding.

​

CVE-2024-28722

14r1 Service Release 4

Other improvements in 14r1

157823 - AP Manager Login: Fix for brute force attacks

CVE-2024-24721

156999 - App Users: Prevent account enumerate

CVE-2024-24720