CASE PM-68678-19-201876

In the archives web.config of the Aranda PassRecovery sites, the following policies have been added script-src 'self' 'unsafe-inline' 'unsafe-eval' and object-src 'none' to the Content-Security-Policy (CSP) as a security improvement measure, ensuring a robust content security policy. The configurations are as follows:

Values are included script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; object-src 'none' ; Inside the label Content-Security-Policy in the archives web.config of the Aranda PassRecovery Administration (APRADMIN) and Users (APRUSERS) web consoles.

Value Included default-src 'none' ; Inside the label Content-Security-Policy on file web.config of the Aranda PassRecovery API (APRAPI).

⚐ Note: Content Security Policy (CSP) settings that include the ‘unsafe-inline’ and ‘unsafe-eval’ options are essential for the proper functioning of the tool, as they allow the execution of necessary scripts from a third-party library.

AngularJs Version Update

The AngularJs version is updated to 1.8.8 in the Aranda PassRecovery User Console (APRUsers) to fix vulnerabilities presented in previous versions of AngularJs.

This update requires that stored browsing data (cache and cookies) be deleted to avoid compatibility conflicts with the new version when using the console.

⚐ Note: Aranda Software has acquired extended support for this library, which allows mitigating possible security vulnerabilities.

⚐ NOTES OR ADDITIONAL INSTRUCTIONS

• Run the “Aranda.PassRecovery.Installer.exe” file and follow the instructions in the installer.
  
• The executable file functions as both an installer and an update tool.
  
• This update applies only to databases in version 8.0.169.