WHD 12.8.4 release notes
Release date:
Here's what's new in Web Help Desk 12.8.4.
Learn more
- See the WHD release notes aggregator to view release notes for multiple versions of WHD on a single page.
- See WHD 12.8.4 system requirements to learn about prerequisites for running and installing WHD 12.8.4.
- See the WHD 12.8.4 Administrator Guide to learn how to work with WHD.
New features and improvements in WHD
Last updated:
SolarWinds upgraded some library software
The following software was upgraded:
- Tomcat version to 9.0.96
- JDK version to 11.0.25
Fixes
Last updated:
| Case number | Description |
|---|---|
| 01793715, 01781660 | Checklist can now be deleted. |
| 01807342, 01786275, 01788004, 01794393, 01787219 , 01787118, 01788627 | Tech is now able to see non tech group assigned ticket in My Ticket and Group Ticket tab list. |
| 01748614, 01731205, 01721583, 01758632, 01754187, 01724284, 01761224, 01763632, 01769096, 01773651, 01778402, 01783088, 01780315 | Implemented Graph API authentication changes for outgoing mail account |
| 01766480 | Save Note button is no longer disabled in the client UI for tickets that have custom fields (Currency) |
| 01785881, 01789756, 01791126, 01786315, 01806778, 01804284 | Character combo in text fields no longer causes session crash. |
| 01787859, 01786401, 01789417, 01791434, 01795118, 01753225 | Users can now login via SSO/ADFS. |
CVEs
Last updated: 12/9/2024
SolarWinds would like to thank the security researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
SolarWinds CVEs
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2024-45709 | SolarWinds Web Help Desk Local File Read Vulnerability | SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited. | 5.3 Medium | Harsh Jaiswal from Project Discovery |
Third Party CVEs
| CVE-ID | Vulnerability Title | Description | Severity |
|---|---|---|---|
| CVE-2020-26870 | Cross-Site Scripting Vulnerability | Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. | 6.1 Medium |
| CVE-2024-52316 | Unchecked Error Condition vulnerability in Apache Tomcat | Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. | 9.8 Critical |
| CVE-2024-45801 | Cross-Site Scripting Vulnerability | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability. | 7.3 High |
| CVE-2024-47875 | Cross-Site Scripting Vulnerability | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3. | 9.8 Critical |
| CVE-2024-48910 | DOMPurify vulnerable to tampering by prototype polution | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. | 9.1 Critical |
Before you upgrade!
Last updated:
Installation or upgrade
Last updated:
For new installations, you can download the installer from the SolarWinds website or from the Customer Portal. For more information, see the WHD Installation and Upgrade Guide.
After you complete the installation, see the WHD Getting Started Guide. This guide picks up right after the installation process and walks you through the initial steps you need to take to start using the application.
WHD supports Windows Server 2019 and 2022 for production environments and Windows 11 for trial evaluations. These operating system require additional setup to install. See the WHD Installation and Upgrade Guide for instructions.
To install WHD and enable FIPS, see Enable FIPS in a new deployment in the WHD Administrator Guide.
WHD no longer includes the additional configuration files required to enable Federal Information Processing Standards (FIPS) mode in the application. To install WHD and enable FIPS, see Enable FIPS in a new deployment in the WHD Administrator Guide.
If you are installing WHD 12.7.12 with FIPS mode disabled, make sure version 12.7.9 is running on the host server before you install. When the installation is completed, enable FIPS mode.
For upgrades, use the WHD Installation and Upgrade Guide to plan and execute your upgrade. When you are ready, download the upgrade package from the SolarWinds Customer Portal.
Legal notices
© 2024 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.