October/November 2021 Release Notes
The November 2021 PBIX Update can be viewed here.
IdeaPlace Release Notes
User Orientation Video
We encountered an issue which blocked the video content from displaying properly in the application. This was rectified by the inclusion of the video link into this content security policy of all Planview IdeaPlace instances.
Cross Site Scripting in CSRF Cookie
Following the identification of an issue relating to the ability to modify the CSRF cookie, we have taken action to prevent this.
During the penetration test, a scenario was identified whereby the CSRF cookie could be modified in order to launch a social engineering attack on a user. In order to remediate this, all headers are now reviewed for proper input sanitization, with filters in place to prevent the insertion of arbitrary code.
When changing an idea owner, the application will now automatically subscribe the new idea owner to the idea. This ensures that the new owner receives important updates about their idea.
The outgoing owner will remain subscribed to the idea however as they may wish to receive updates on their progress. They can unsubscribe at any time by visiting the idea page or their profile and selecting Unfollow.