# Version 3.0.13
# Release 3.0.13
===========
Date: 2019-01-23
Name: "jalapeño popper khaki headphones"
# Notes
Security and bug fixes, and some enhancements.
Security fixes:
- potential stored XSS vulnerability (https://github.com/rundeck/rundeck/pull/4406)
Discovered by Ishaq Mohammed by at qualys.com
- add Content-Security-Policy and other security HTTP headers to responses (see more info https://github.com/rundeck/rundeck/pull/4405)
# Contributors
- Alberto Hormazabal (ahormazabal)
- Greg Schueler (gschueler)
- Jaime Tobar (jtobard)
- Luis Toledo (ltamaster)
- Greg Zapp (ProTip)
- Stephen Joyner (sjrd218)
- Ishaq Mohammed
# Bug Reporters
- ProTip
- ahormazabal
- gschueler
- jtobard
- ltamaster
- sebastianbello
- sjrd218
- vinillum
# Issues
Milestone 3.0.13 (opens new window)
- new version of winrm plugin 1.0.10 (opens new window)
- Fix Plugin list api by referencing correct plugin list information service (opens new window)
- Add CSP header control variables to Docker image (opens new window)
- Fix #4406: stored xss vulnerability (opens new window)
- Security: stored XSS vulnerability (opens new window)
- Add common web-app security headers (opens new window)
- Add new flag to enable UI plugins on all pages (opens new window)
- Remove environment variable that hijacks jvm ssl settings (opens new window)
- UI plugin install status fix (opens new window)
- Fix #4374. User and role set by AJP were not being properly set. (opens new window)
- Fixes #4376. Partial templates are now expanded and added to base property file. (opens new window)
- Update spring security plugin to last version. (opens new window)
- UUID validation on jobref (opens new window)
- email notification enhancement (opens new window)
- Fix #2975 multiple threads modify the map (opens new window)
- Fixes #115. (opens new window)
- User profile information can be sync'd from LDAP (opens new window)
- UUID validation and Autocomplete in Job Reference Workflow step (opens new window)
- Feature/multi repository support (opens new window)
- Execution Metrics API (opens new window)
- java.lang.ClassCastException: java.util.HashMap$Node cannot be cast to java.util.HashMap$TreeNode (opens new window)
- LDAP login with empty password (opens new window)