SimpleRisk Core
The SimpleRisk 20241130-001 release is a larger fix release with a few new features as well. If you are still experiencing any issues regarding SSO please contact support@simplerisk.com as these issues should be resolved at this time and outstanding cause for any inability to login is likely caused by configuration.
We made a single change to usability:
- The page displayed when clicking on a Test Name under Compliance → Past Audits has been updated for improved visual separation of elements.
These security updates were made:
- Fixed a vulnerability where an authenticated user without permission to access Compliance could query available tags related to Compliance via the API.
- Fixed instances where SimpleRisk did not properly encode HTML elements in user data.
- When "Multi-factor Authentication" is unchecked for a user, their MFA token will now be cleared. If rechecked, the user will be prompted to configure a new MFA token.
- Standardized failure text for all password reset alerts.
This release includes the following bug fixes:
- Resolved an issue where accepting a risk mitigation would not save, and refreshing the page would unsave the mitigation acceptance.
- When deleting a user, any active audit tests the user is part of will now be set to null instead of their user ID.
- Updated display settings to use TEXT data type instead of VARCHAR(1000).
- Fixed an issue where custom field ordering in the DRR did not function as expected.
- Fixed an issue where the creation date of previous file versions in the Document Program showed the same creation date for all versions.
- Fixed an issue with ordering in DRR when passing null to the first parameter of stripos(), which was deprecated in later versions of PHP.
- Replaced old datepickers with new ones.
- Resolved a 404 error on the print_view.php page due to missing CSS files, ensuring compatibility with the new UI.
The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core. This release targets bugs with customization and notification that were reported by users.
Custom Authentication Extra:
- Updated the SameSite cookie setting on the SAML login page to restore the ability to mimic an IDP-initiated portal login.
Encryption Extra:
- Fixed an issue where enabling the Encrypted Database would show encrypted asset names when selecting "Assets" from the Connectivity Visualizer Report.
Import/Export Extra:
- Fixed an issue where importing controls with an undefined control class would not create the class as expected, and would only map if the class already existed.
- Implemented a temporary fix for an issue where exporting large single-cell data exceeding Excel's 32,767 character limit would fail. Now, the data will be truncated to fit within the limit.
Incident Management Extra:
- Added a Dynamic Incident Report feature.
Risk Assessment Extra:
- Fixed an issue where users without permission to access the Assessments module were not visible as assessment contacts when sending questionnaires.
- Added the ability to export Questionnaire Results to a spreadsheet.
Secure Controls Framework Extra:
- Fixed an issue where new frameworks would load when the SCF Extra is installed, but not when updated.
Other Notes:
- A user reported difficulty logging in with the default username admin and password admin. Investigation revealed that PHP was enforcing secure cookies, but the application was not using SSL, preventing session values from being set. If you encounter this issue, try installing an SSL certificate and running SimpleRisk over HTTPS to resolve it.
