Following several reports of issues with phase email templates, we have carried out an investigation. During the investigation, we confirmed that phase email customizations were being reverted to the default whenever a challenge was updated.
We have now implemented a change to prevent the phase email templates from being reverted when any changes are made to the challenge configuration. This will work for all phase configurations up to the maximum of ten. There is no change in the behavior for the administrator: simply configure and save the template as normal.
Upgraded Faster XML Jackson to version 126.96.36.199 to prevent remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Upgraded dom4j to version 2.1.3 to enable the safe, non-default behavior in any application that uses dom4j.
Upgraded Pivotal Spring Framework to 5.2.9 to prevent a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.
Upgrade Handlebars Version
Following our internal security scan process, we have upgraded the versions to version 4.5.3. This is in response to a finding that versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution.