webtrees 2.0.17 is now available for download. There are a few bug fixes and additional census defintions, however this is mostly a security-fix release.
- XSS vulnerability in add note/source modal dialog.
- No validation on redirect URL after completing various actions.
- No rate limit for password reset, registration and contact forms.
- An admin can delete core files from the /data folder.
- XSS vulnerability in tree titles in control panel.
- User credentials are echoed in the URL when the registration form has errors.
- The password reset form allows you to determine if a user account exists.