Server : Apache System : Linux dedi-14684855.grupobig.com 5.14.0-611.49.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Apr 21 16:39:08 EDT 2026 x86_64 User : grupo692 ( 1004) PHP Version : 8.2.31 Disable Function : NONE Directory : /var/softaculous/livehelper/ |
4.86v 1. Notable changes since 4.85v - Performance statistics dashboard widgets: added new `dep_performance` and `op_performance` dashboard widgets that display real-time aggregated statistics for departments and operators respectively; widgets support configurable columns (chats received, chats answered, wait time, first/average response time, thumbs up/down, online/offline time) with configurable position and update intervals; new settings UI under Statistics for both department and operator performance configuration. - Performance stats cron aggregator: new cron job (`cron/stats/performance`) aggregates department and operator performance data into the new `lh_abstract_performance` table; supports forced regeneration via `-p force`; configurable update interval and day range; cron respects sql_mode and local timezone settings. - New `Performance` and `PerformanceWidgets` models: `Performance` model stores/retrieves serialized performance snapshots; `PerformanceWidgets` provides formatted data for dashboard sync, including per-department and per-operator stats with access-control filtering. - Security and authentication hardening: improved password verification logic in REST API validator; added constant-time response delay in forgot-password flow to mitigate timing attacks; updated hashing methods for login and password update flows; implemented expired hash cleanup (deleteExpiredHashes) called from setRemindHash, remindpassword, and forgotpassword modules; removed LDAP authentication components; updated autologin with nonce support and improved hash validation; masked error messages for users without access to unhidden emails in send and reply APIs. - Bot and event system: enhanced chat variable update handling and event dispatching; ignored default trigger message when a trigger is started manually; added support for invisible arguments in bot triggers; added event dispatch for transfer-to-human action; added event argument for custom is-online status checks. - Editor and operator UI: added switch-editor option in active chat tab and a new permission for operators to toggle between new and old editors; added icons and colors to the transfer window; increased subject modal window width; fixed form loading scroll event; avoided null being displayed before a chat starts. - Export and reports: enhanced export functionality with ChatML support and UI improvements; fixed compatibility with non-strict sql_mode for certain reports. - Bug fixes: fixed matching rule search; minor fixes including string conversion and typo corrections. 2. Summary - This release introduces a new real-time performance dashboard with configurable department and operator widgets backed by a cron aggregator and a dedicated `lh_abstract_performance` table. - Security is hardened across authentication flows: stronger hashing, timing-safe responses, expired hash cleanup, autologin nonce support, and LDAP removal. - Operator productivity is improved with a switchable editor, richer transfer UI, and expanded bot/event capabilities. Export and report compatibility are also addressed. execute doc/update_db/update_352.sql for update 4.85v 1. Notable changes since 4.84v - Security and access control: tightened chat operation permissions by requiring proper read/write access checks; additional permission hardening was applied across related flows. - CSP and policy handling: completed CSP parser integration and follow-up fixes, including policy exposure hardening and parser/library alignment. - Voice messaging and widget UX: improved voice-message flow and UX, updated voice app behavior, kept cursor focus on desktop, and added a widget-theme option to disable voice messages. - Translation workflow: improved automatic translation reliability, added DeepL model/formality options, enhanced metadata/error handling, and refined start/stop and old-message translation flows. - Analytics and timing metrics: improved chat duration/response-time calculations, participant timing accounting, and operator duration output in reports. - REST API and diagnostics: added optional custom REST API messages, improved exception visibility/traceback details, and enabled direct log viewing from back office. - Invitations and online-hours logic: enhanced invitation alias/profile handling and improved overlapping online-hours period calculations. - UI/translations/dependencies: updated translations, refreshed JS dependencies (including html-react-parser migration), and applied multiple package/security updates. - Misc fixes: delivered issue-specific fixes and regressions cleanup (including #2378, #2379, #2382), plus release workflow updates. 2. Summary - This release focuses on security hardening, CSP maturity, and operator productivity, while also improving voice messaging UX and translation automation quality. - It also improves chat/mail timing metrics and diagnostics, with additional stability updates across UI, dependencies, and release automation. No new DB migration script required for this release. 4.84v 1. Notable changes since 4.83v - REST API and bot workflow: improved REST API trigger execution and request body handling with attachment support; added skipped-body debug preview; enhanced chat locking behavior for streaming and chunked responses while preserving typing indicators. - Widget and UI: expanded widget theme customization options (including color controls), applied theme colors to offline form, improved message delivery indicator styling, fixed height adjustments and zoom/icon interaction issues, and added support for custom nick from admin themes. - Notifications and operator workflow: added assignment notification preferences (assigned pending chats vs all pending chats), quick action for auto-assignment, and persistent disabling of mobile notifications. - Chat filters and analytics: added participant filters to chat search, improved filters and restored pagination behavior, added participant-aware export enhancements, and introduced average chat duration by agent/participant. - File validation and security hardening: expanded MIME type handling for common file types and strengthened uploaded file verification (including file preview upload flow). - Translation and UX polish: improved translation error handling and transaction flow, added operator notice for active chat translation state, and updated translations across modules. - Core/codebase maintenance: added new tables and schema updates, improved error/log reporting and timing diagnostics (render and DB connection timing), and modernized PHP code style in core files. 2. Summary - This release focuses on reliability and operator experience: stronger REST API/bot handling, better widget customization and messaging UX, richer notification controls, and improved chat search/export analytics. - It also includes security-oriented file validation improvements, translation workflow refinements, and core maintenance updates for better observability and long-term stability. execute doc/update_db/update_351.sql for update 4.83v 1. Notable changes since 4.82v - Chat list sorting: added sort options for highest and lowest message count in chat lists; a validation warning is shown when sorting by message count without a date range of 31 days or less. - Webhooks: debug mode support added to `processEvent` in both chat and mail conversation continuous webhook classes; new validation conditions `notempty` and `in_list`; improved error handling and logging; webhook form updated with chat ID testing and improved button styling; test pattern module enhanced with webhook ID validation. - Dropdown: "Select all" and "Unselect all" buttons added to multi-select dropdowns across the back-office; dropdown plugin and render helper updated accordingly. - Subject filter: subject filter conditions added to the chat list search panel and mail conversation search panel; department user dep logic enhanced. - Widget: bumped to version 272; improved `screenAttributesUpdate` height/width calculations for better responsiveness across screen sizes; wrapper now passes its version to the API; fixed proper termination in wrapper source. - Canned messages: fixed auto-uppercase breaking text input in the new rich-text editor (LHCEditor). - REST API: fixed authentication validator regression. - Chat core: added support for dashes in chat handling logic. - Templates: minor fixes in chat lists template and survey fill-widget template. 2. Summary - This release improves chat list usability with message count sorting, strengthens webhook debugging with debug mode and new validation conditions, and enhances multi-select dropdowns with select-all/unselect-all controls. - Widget responsiveness and wrapper version reporting are improved; canned message auto-uppercase and REST API auth issues are resolved. execute doc/update_db/update_350.sql for update 4.82v 1. Notable changes since 4.81v - Security/file handling: enhanced MIME type validation across file download endpoints (`downloadfile.php`, `inlinedownload.php`, REST API `file.php`); MIME type constants added in mail conversation parser; all operator/visitor uploads validated against `var` folder path; resolved security issues L01, L02, L04, L05, L06, L11, L13. - Widget: added expand mode with configurable width/height ratios and new `shrink_text`/`expand_text` UI fields; widget communication updated to include user session prefill variables in sent messages; fixed `reloadWidget` function; updated wrapper version. - Chat search/statistics: added message count filters (operators, visitors, bots) to search panel and statistics tabs; added total messages count input field; added search by message ID range. - Chat tab visibility: operators can toggle chat tab visibility (show/hide chat tabs) via quick actions in user settings. - User settings: added auto-accept chats option and alert preference for transferred chats. - Variables/prefill: support for passing custom back-office vars as `lhc_var` variables; encrypted prefilled variables always applied; variable only set when replaceable variable is non-empty; proactive invitations now update vars when custom vars are passed. - Theme/translations: widget theme `translate` method accepts user context; REST API modules (`checkchatstatus`, `getinvitation`, `initchat`, `onlinesettings`, `settings`) use user context for theme translations; multilanguage support for custom fields; `fetchByVid` includes caching option. - Canned messages: refactored retrieval with `getCannedMessages` method; added `auto_send` filter and `ignore_subjects` parameter. - Extensions: support for extensions to contribute custom side-menu items. - Configuration: folder/directory write-permission checks added to the configuration page with per-directory success/error indicators. - Bot: support for background workers in REST API bot action; improved bot detection filtering. - Message history: previous-message loading always uses all messages when the page limit is not reached; safe inclusion of all chat messages. 2. Summary - This release strengthens file handling security with MIME type validation, file path checks, and resolves multiple L-series security issues. - Operator UX improvements include widget expand mode, chat tab visibility toggles, and richer user settings (auto-accept, transfer alerts). - Search and statistics gain new message count filters; extensions gain custom side-menu support; theme translations now respect user context. 3. Contributors - L01: SSRF via incoming webhook image download (CWE-918) - L06: Mass assignment in REST API file PUT leading to arbitrary file read (CWE-915, CWE-22) - L11: Stored XSS via Content-Type spoofing in file upload (CWE-79, CWE-345) - L13: Unsafe deserialization in configuration loader (CWE-502) Vulnerability Researcher: Pedro J. Núñez-Cacho Fuentes (https://blogs.tunelko.com) execute doc/update_db/update_349.sql for update