Released: February 19, 2023
This version backports fixes from versions 4.4.3 and 4.4.4.
The interface of the library used for generating QRCodes changed and broke the OTP QRCode generation. The image interface was updated, a new test added, and the entire QRCode generation simplified to lower the changes of future regressions.
The Python Transifex client was remove and replace with the new Go based client. This client is OS dependent and needs to be installed manually when working with translations (https://github.com/transifex/cli).
The validation errors in the document metadata API were incorrectly causing HTTP 500 server errors. A custom REST API exception handler was added to workaround inconsistent validation exception behavior in the Django REST framework and ensure validation error raise a HTTP 400 error instead.
The tag labels are now sanitized when generating the Select2 user interface widget template. This closes the XSS weakness reported in CVE-2022-47419: Mayan EDMS Tag XSS.
This is a limited scope weakness of the tagging system markup that can be used to display an arbitrary text when selecting a tag for attachment to or removal from a document.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Attempting to exploit this weakness requires a privileged account and is not possible to enable from a guest or an anonymous account. Visitors to a Mayan EDMS installation cannot exploit this weakness.
Django's SESSION_COOKIE_HTTPONLY setting is not currently exposed by Mayan EDMS' setting system, therefore it is not possible to disable this protection by conventional means.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.