LogonBox VPN 2.3.13 Released


LogonBox VPN 2.3.13 has been released


Changes in this release


  • Added support for importing images from Active Directory's thumbnailPhoto attribute for displaying as the LogonBox user's profile image.
  • User Selective 2FA no longer prompts you to select an authentication module if you only have one available.
  • Added an option in Sessions->Session Options->Websocket to add allowed origins for any WebSocket communication.
  • Added an option in System Configuration->Security to enable X-Forwarded-For headers.
  • Added Referrer-Policy and Permissions-Policy attributes to HTTP headers.
  • Changed the default AD fields a user has access to in their profile from Editable to View only.



  • Fixed a persistent XSS in a user's Custom Questions page.
  • Fixed a persistent XSS in a user's My Profile page.
  • Fixed a couple of XSS issues in JSON responses.
  • Anti-CSRF tokens added to a small number of pages that had them missing.
  • It is now possible to delete a Security Question that already has existing answers set by users.
  • Top 5 Operating Systems, Top 5 Browsers, Top 5 Users and Top 10 Resources graphs are now available to display again in the admin dashboard.
  • The synchronize button is now visible again for admins on a non-system realm.
  • LDAP user directory option is now visible again in Configure User Database.
  • Added some performance changes to the database to reduce table locks.
  • More than two authentication factors are now working as expected for User Login.


VPN client changes:

  • Dark branding colours for links in dark mode were hard to read
  • Better transition to remote authorisation page on first load.
  • Improved look of remote authorisation.
  • Better clean up on shutdown of service.


The LogonBox team.