Broadleaf 3.0.16-GA

Released on March 31, 2015

This version of Broadleaf was an emergency patch release in order to plug a security hole present in 3.0.15-GA and below. Before this release, a malicious admin user could hijack the login of another admin user using rest password tokens. This was the extent of the vulnerability and Customer (frontend) logins has had this security from the beginning and did not require a patch.

We strongly recommend an immediate upgrade to this version of Broadleaf 3.0, especially if you have built up and are utilizing robust security permissions and many users in the admin.

An at-a-glance view of the issues that were closed in this release:

Critical Bugs(1)

• Improve forgot password token security in Broadleaf Admin
• When validating rule builders in the admin there is a potential for a NullPointerException

Enhancements(1)

• i18n Enhancement: certain fields on some entities should be translatable. (e.g. Attributes/Challenge Question)

Total Resolved Issues: 3