LogonBox SSPR 2.3.13 Released


LogonBox SSPR 2.3.13 has been released


Changes in this release


  • Added support for importing images from Active Directory's thumbnailPhoto attribute for displaying as the LogonBox user's profile image.
  • User Selective 2FA no longer prompts you to select an authentication module if you only have one available.
  • Added an option in Sessions->Session Options->Websocket to add allowed origins for any WebSocket communication.
  • Added an option in System Configuration->Security to enable X-Forwarded-For headers.
  • Added Referrer-Policy and Permissions-Policy attributes to HTTP headers.
  • Changed the default AD fields a user has access to in their profile from Editable to View only.
  • Added an option in Authentication Flows->Authentication Options->Security to require the current password for Change Password. Turning this off will allow password changes on Azure if you have Azure MFA configured.


  • Fixed a persistent XSS in a user's Custom Questions page.
  • Fixed a persistent XSS in a user's My Profile page.
  • Fixed a couple of XSS issues in JSON responses.
  • Anti-CSRF tokens added to a small number of pages that had them missing.
  • Accounts requested using the Create Account feature now correctly write the user's email address to the user directory.
  • It is now possible to delete a Security Question that already has existing answers set by users.
  • Top 5 Operating Systems, Top 5 Browsers, Top 5 Users and Top 10 Resources graphs are now available to display again in the admin dashboard.
  • Checks for profile completion now accurately calculate a complete profile for users when Assigned Flow module is in use.
  • The synchronize button is now visible again for admins on a non-system realm.
  • Profile history graph displays in the same chronological order as the other graphs.
  • LDAP user directory option is now visible again in Configure User Database.
  • Added some performance changes to the database to reduce table locks when sending emails.
  • More than two authentication factors are now working as expected for User Login.


The LogonBox team.