Password Manager 5.8.2 cumulative hotfix (318158)

Angular template injection vulnerability in PM versions 5.8.2 and 5.9.3 

Cross site scripting vulnerability in PM versions 5.8.2 and 5.9.3. 

Required to upgrade jQuery version to 3.4 to avoid new security vulnerability.

Starling does not use proxy settings completely. 

reCAPTCHA images are not displayed in Secure Password Extension (SPE).

reCAPTCHA validation fails in the User site when more than one user is found during user search.

Helpdesk site limits the user search if Do not allow users to search for their accounts option is selected.

Scheduled tasks fails randomly in multi-processor systems. 

reCAPTCHA fails to support proxy configuration. 

Unhandled exception error appears in User site during invalid sessions. 

In the self-service site, users are not able to register either with email or with the mobile workflow when an optional question is set to mandatory.

When a user is part of both the group and the OU, duplicate entries are observed in user search reports.

Registration workflow for end user require corporate mobile phone as optional, when starling is joined.

TLS v1.0 has to be enabled for Starling authentication to work. 

Server-Side Request Forgery (SSRF) vulnerability in the Password Manager’s user site.

"Upgrade patch cannot be installed because the expected version is missing” error is displayed when the hotfix is installed. 

PM fails to validate the email address/ phone numbers fields before even passing it to Starling for authentication.

Password Manager authentication gets impacted when Microsoft updates settings for LDAP channel binding and LDAP signing.

When Authentication Methods activity is configured for any workflow, user can identify the wrongly answered question from the HTTP Response object even after unchecking the Allow users to see what questions were answered correctly option.

Users are not able to register without a mobile number even after configuring the starling.

Auto-generated password reset fails on the Helpdesk site.  

Password Manager’s self-service site become unresponsive when close to 500 users try to use it simultaneously and when the storage file is more than 1.5 MB in size.

When iPad device is used in landscape mode end user is unable to scroll down to view additional content in any screen of the PM self-service site.

Scheduled Tasks fails and an error is displayed when nested groups/OUs are configured under users scope. 

In the Japanese OS, error occurred in Forgot My Password workflow on both Admin and User sites.

Few fields of the PMUser Site does not appear, when accessed on an Android Tablet browser.

Though Recaptcha is enabled, error message does not appear in UI when the internet connection is disabled.

Password Manager license key grows indefinitely and gets corrupted in the registry.

User is not able to reset the password in the AD environment even after enabling the Force user to change password at next logon activity with LDAP over SSL.

User Status Statistics schedule task fails with Object Reference Error for disabled users.

Disabled users are not able to register with Password Manager successfully.

Unable to send email to Administrator when workflow fails. 

Duplicate entries in email template when custom activity is enabled on workflows.

Some of the special characters that were supported by windows were not supported by Password Manager while validating the complexity rule.

PMUser site has issues in Portrait/Landscape mode. 

While running User Status Statistics (USS) tasks, "There is no such object on the server." error appears

Please download the hotfix here.

NOTE:

• This is a cumulative hotfix. Installing this will contain all of the previously delivered public, private and diagnostic hotfixes. This hotfix also contains an update to the latest version of jQuery and fixes for security vulnerabilities.
• Though it is not being referenced anywhere, the PM installed directory would still contain jquery-3.3.1.js files and shall be removed in the future release.
• Vulnerability fix for Common Comment Types are not included in this hotfix, as the application contains places where characters like "#" and "{" are still accepted as valid characters.
  

• web.config files of all Password Manager websites
• QPM.Service.Host.exe.config located at \Service folder