What's New With SimpleRisk 20240603-001 Release

by Dorian Arthur
(Director of Customer Success)

SimpleRisk Core

 

The SimpleRisk 20240603-001 release is a small security and bug fix patch as we continue efforts on the major UI refresh. This release also contains a fix for issues preventing enabling MFA for users. 

 

20240603

 

The following change was made to improve usability:

 

  • Updated the default highlight colors and selector.


This release includes the following bug fix:

 

  • Fixed an issue where a URL was updated in the MFA chain breaking the ability to create new MFA accounts. This has been resolved and accounts can now add MFA without issue.

 

This release included the following security fixes:

 

  • SimpleRisk now invalidates existing active sessions for a user when MFA is activated for that user (other than the session used to activate MFA)
  • You can no longer use an MFA token more than once even if it is used in rapid succession, it will now become invalid upon use rather than invalidating only due to time limit.
  • Applied the same rate limiting that we have for passwords to the MFA token anywhere it is used. 
  • Password reset links should are invalidated if the email address is changed for a user
  • Introduced a Rate limit (brute forcing current password) on password change page

 

The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core.  This release targets bugs with customization and notification that were reported by users.

 

The full list of updates to Extras are as follows:

 

Customization Extra

  • Fixed an issue where templates were not being displayed as intended between different custom field groups.
  • Merged existing non-default template groups down to the default template for outside groups of fields. This is to prevent any changes to the fields displayed based on the state of default fields of other groups.
  • Fixed an issue where the custom 'date' fields don't display the date selector for fgroups "framework" and "control" (both add and edit screens)
  • Fixed issues stemming from default data format selection, as well as dates added to the asset template.
  • Fixed an issue where certain fields on the asset template could not be moved freely.

 

Other Notes

A SimpleRisk user noted that they were having difficulty logging in with the default username of “admin” with password of “admin”. Upon investigation, it was discovered that PHP was enforcing secure cookies, but the application was not using SSL, so the session values were not set. This may be an isolated instance, but if you experience this issue, try installing a SSL certificate and run SimpleRisk over HTTPS to fix it. 

 

TAGS
compliance download governance GRC release SimpleRisk