This update addresses a security vulnerability identified in the product. Note that other fixes for defects and minor changes completed since release 4.0.57.23. There are no new features being introduced in this release.
Security Vulnerability Summary
The ValidateExport service had no authentication parameter potentially exposing to the risk that identifiable data could be obtained by an outside party. For the issue to become a problem:
the web services would have to be on a server that is externally accessible;
the web service URL must also be known, not just knowing the name of the service and the domain, but knowing the complete web address to it - which could be possible through the mvcdiagnostics page);
the receiving party must have a way the service itself - Not something they could just accidentally click around in a browser and stumble onto.
Affects HIFIS version(s): 4.0.55 and up.
Bug Fixes
Fixes included in this release:
Added an application security token to service calls that are invoked without an authenticated user;
Fixed the issue experienced by users attempting to login from a previous session by another user on the same device. The user attempting to login would not see all Service Providers he had access to.
Fixed the broken link preventing user to access the registration function under the administration menu;
Resolved the issue users experience preventing them to use the side menu links in the Housing Placements Edit view;
Fixed the issue that lead to orphan records when users would delete Turnaways;
Fixed the issue where the application would calculate and show different age values for the same client in different places in the application;
Fixed the issue in Family VI SPDAT calculations where an incorrect number of family heads was producing misleading assessment scores.
Minor Changes
Minor changes included in this release:
Broadcast messages are now initialised with a different set of options such that they need to be clicked to be dismissed;
The sorting of the start date in Subsidies under Housing Loss Prevention now default to a descending;
Start and End dates can now be modified in Bed Status history;
A Storage item can be deleted from "Client - Storage" list.
Comments