This release addresses another security vulnerability discovered by the same security researcher as the previous one fixed in 1.5.8.
This is also a privilege escalation vulnerability but can also be extended to install malicious software on the Toems server. This has been patched as of 1.5.9. I'm keeping the details private as to give everyone time to update to this version and will release more information at a later date. Here is the information I can share at this point:
This vulnerability begins with the Toems API but when exploited can then be used against the Toec-API.
It requires that the attacker already have login credentials to Theopenem in order to exploit.
If you have followed the recommendations, your Toems-UI and Toems-API should not be available outside your network. This means the attack surface is limited to only users on your network that also have credentials for Theopenem.
Next steps:
Upon updating to 1.5.9, as a precaution, you should change the password of all local Theopenem users, active directory logins are not effected. You should also reset the password for any impersonation accounts that you have saved into Theopenem.
Documentation on updating to Theopenem 1.5.9 can be found at:
https://docs.theopenem.com/latest/tutorials/updating.html
Having back to back vulnerabilities is both discouraging and disappointing and obviously frustrating to everyone. As I work on 2.0, I am re-evaluating the entire code base looking for potential vulnerabilities. Once complete, if anyone knows any companies or best practices for an independent security audit, I'm open to suggestions, but budget is very limited.