RELEASED: Public: 2020-01-29
Security fixes
-
Attackers with 'Overall/Read', 'Agent/Secure' or 'Job/Read' permission can associate any folder where 'Job/Read' permission is granted with any agent where 'Agent/Secure' permission is granted via CSRF.
This issue has been fixed by enforcing the use of the crumb issuer in some methods, and the web page with the authorized agents has been restricted.