3.5.40

Fixed

• Fix the save callback in the back end password module (see #429).

3.5.39

Fixed

• Invalidate the user sessions if a password changes (see CVE-2019-10641).

3.5.38

Fixed

• Correctly check the permission to move child records as non-admin user.

3.5.37

Fixed

• Prevent information disclosure in the back end (see CVE-2018-20028).

3.5.36

Fixed

• Prevent arbitrary code execution through .phar files (see CVE-2018-17057).
• Correctly reset the autologin data upon logout (#8868).
• Remove support for deprecated user password hashes (see #8889).

3.5.34

Fixed

• Check the registry for table prefixed queries (see contao/core-bundle#1161).
• Improve the folder hashing performance (see #8856).
• Reset the autologin hash if the username or password changes (see #8843).
• Correctly encode the sitemap URLs (see #8849).

3.5.33

Fixed

• Also pass $this in the "customizeSearch" hook (see #8841).
• Quote reserved words in database queries (see #8813).
• Require ircmaxell/password-compat to remain compatible with PHP 5.4.

3.5.32

Fixed

• Fix an XSS vulnerability in the newsletter module (see CVE-2018-5478).
• Do not remove old subscriptions not related to the channels (see #8824).
• Backport the password algorithm changes from Contao 4 (see #8820).

3.5.31

Fixed

• Prevent SQL injections in the back end search panel (see CVE-2017-16558).