countly-server

Security fixes:

• [alerts] Validate alertConfig.selectedApps against caller's permissions (cross-app metric exfiltration)
• [app_users / logger / compliance-hub] Strip dangerous Mongo operators ($where, $expr, $function, $accumulator) from user-supplied queries
• [app_users] Sanitize user.picture filename before deletion (path traversal)
• [app_users] Scope export download/delete to caller's app_id; reject path-traversal in filenames
• [apps] Replace updateApp/createApp mass-assignment with explicit field allowlist
• [auth] Generate new-member invite prid with crypto.randomBytes (replace predictable HMAC)
• [auth] Handle req.session.regenerate error in token login
• [auth] Replace OTP-equality recaptcha bypass with twoFactorPassed session flag
• [auth] Restrict /login/token/:token to login-purpose tokens; regenerate session id on token login to close fixation
• [cms / system / systemlogs] /i/cms/save_entries, /o/system/plugins, /i/systemlogs restricted to global admins
• [core] Add common.resolvePathInBase helper for safe path containment checks
• [crashes] Add error handlers to crash report streamed responses
• [dashboards] Constrain public screenshot route paths and stream error handling
• [dashboards] Identical response for missing/inaccessible dashboard (no enumeration)
• [dashboards] Require auth + per-widget app permission on /o/dashboards/test; remove the unused endpoint
• [data_migration] Constrain export/import paths to allowed directories; reject path-traversal in target_path, multipart filenames, and exportid (backport of #7491)
• [data] Escape regex metacharacters in sSearch parameters (ReDoS)
• [data] Return 404 (not 500) when event_groups lookup misses
• [dbviewer] Block $graphLookup aggregation stage (cross-collection data exfiltration)
• [dbviewer] Wrap non-admin scope as top-level $and so user-supplied $or/$nor cannot bypass per-tenant filter (cross-tenant data exfiltration)
• [errorlogs] Reject path-traversal in admin log file paths
• [event_groups] Whitelist updatable fields on create/update; scope reads by app_id
• [exports] Add stream error handlers to export download
• [exports] Authorize /o/export/download by task ownership / app_id
• [notes] Bind notes to permission-checked app_id; check edit permissions against the note's stored app_id
• [notes] Enforce saveNote schema validation
• [output] Remove noescape query-string bypass on returnOutput (reflected-XSS via parameter)
• [push] Bind message create/test/update/one/remove/toggle to query-string app_id (cross-app push injection)
• [redirect] Apply SSRF protection (api/utils/ssrf-protection.js) to app.redirect_url outbound requests
• [render] (--disable-web-security) removed from puppeteer
• [reports] Add stream error handlers
• [star-rating] Close stored XSS in feedback widget logo upload/preview; restrict uploads to image MIME types and validate magic bytes (backport of #7532)
• [star-rating] Defense-in-depth on image upload/serve routes
• [system-utility] Harden streamed responses with error handlers
• [tasks] Authorize /i/tasks/{update,delete,name,edit} per task ownership / app admin / global admin
• [users] /users/check/username now requires global admin (parity with email check)

Enterprise Features:

• [journey_engine] Maker checker approver
• [journey_engine] Engagement cooldown information added to journey builder and user profiles

Enterprise Fixes:

• [active_users] Fixed logic to prevent triggering active users calculation if it
• [cognito] Fix crash on GET /clogin/:code when body-parser 2.x leaves req.body undefined on requests with no bodyis already running.
• [drill] Add query hint based on default indexes
• [drill] Add contextual links in drill table for user IDs and crash groups
• [drill] Resolve device IDs to user profiles via server-side redirect endpoint
• [drill] Open crash group and user profile links in new tab
• [drill] Show user-friendly error message when saving a query fails
• [users] Fix MongoDB dot encoding (.) leaking into user profile UI filters, breakdown dropdown, and URLs