Code Fix: Security improvement form and view parameters values.
KB003409
PRODUCT
Issue Description
After installing K2 Five (5.2) May 2019 Cumulative Update Fix Pack 2, form and view parameters values were URL decoded twice. This caused functional issues depending on the form or views designed with parameters and impacted security. In workflows the user tasks did not correctly URL encode the worklist item URL’s parameters if the parameter value contained special characters such as &, / and ?. Certain special characters like % and £ were also incorrectly double URL encoded.
Resolution
The fix is available in the following K2 versions:
K2 4.7 March 2018 Cumulative Update | K2 Five (5.0) September 2018 Cumulative Update | K2 Five (5.1) November 2018 Cumulative Update | K2 Five (5.2) May 2019 Cumulative Update | K2 Five (5.3) |
---|---|---|---|---|
X | X | X | Fix Pack 22 | Fix Pack 28 |
- Ensure you have the correct K2 version and/or Cumulative Update installed. See KB001893 to see what Fix Pack level you have installed.
- Download the latest Fix Pack using the links in the table above for the version you require.
- Install the Fix Pack to apply the fix.
- It is recommended to refresh the browser cache.
Considerations
K2 Five (5.2) May 2019 Cumulative Update Fix Pack 2 contained a fix described in https://help.k2.com/kb003203, note that after installing K2 Five (5.2) May 2019 Cumulative Update Fix Pack 22 your running instances containing the Pound symbol will no longer be decoded correctly. To workaround this issue start a new instance of the workflow to obtain the correct decoding, or contact support for a script that updates all running instances in the K2 Database.