Novo Help


Contents	Back	Forward	Print	Support	Close

	Introduction to Novo Solutions


	Upgrade Guides


	Novo Documentation Library


	Issues


	Release Notes


		Version 5.2


		Version 5.1


		Version 5.0


		Version 4.8


			4.81.04


			4.81.03


			4.81.02


			4.81.00


			4.80.00


		Version 4.7


		Version 4.6


		Version 4.5


		Version 4.4


		Version 4.3


		Version 4.1 and Prior

4.81.02

Get the Update

October 13 2012

SECURITY Advisory - SQL INJECTION VULNERABILITY
Versions Affected: All

Issue:
A SQL Injection vulnerability has been detected in the Novo Knowledge Base.

For customers with a public facing Novo Knowledge Base (that does not require a user login), the vulnerability allows an attacker to use the Knowledge Base Search feature (with a specialized category based Search via URL) to inject/executeSQL commands into the system. Successful exploitation of the vulnerability may result in harmful changes to the Novo database (or other databases if the Novo DB user has access to them) and the Novo Web application.

Customer sites that are hosted with Novo are already protected against this vulnerability.

Resolution:
Update your Novo software to the latest version (v4.81.02). This update was posted on October 19, 2012.

Follow the links below to update your Novo software to version 4.81.02

Upgrade Novo From Version 4.3 and Above

Update 4.3 or later with the Novo Configuration Tool (Proxy)

Other Changes

Below are other bugs and incidents that are resolved with version 4.81.02:

Fixed an issue where updating a UDF Checkbox using the API always returns ResultValue of -1
Fixed an issue where navigating to an unauthorized print view (print.asp?one=1&id={Article_id}) does not redirect to login.asp
Fixed an issue where parameterized reports cannot be exported to excel if a parameter is not filled in
Fixed an issue where the Default ticket template does not display all of the fields when there is no contact and pc inventory is licensed
Fixed an issue where Request notes were not displayed on notes.asp after they were added from Manage Requests
Fixed an issue where the Send Report dialog does not appear when using IE 9 on Windows 7
Fixed an issue where the Add Asset form does not display when Auto Asset Code exceeds 17 characters
Fixed a conflict error issue in MergeUsers.asp when merging contacts who are subscribed to articles
Fixed an issue where the Sub Article list still shows when "Display Sub Article List" is disabled
Added the ability to schedule PC Inventory updates
Miscellaneous Editcase button label changes