BTCPay Server v1.7.6: Vulnerability Fixes and API Updates

There are two vulnerabilities fixed in this release.
Those are not severe, as it requires the victim to actively click on a malicious link and public registration, but we recommend to update.

We also introduce a breaking change in the Greenfield API route /api/v1/stores/{storeId}/rates/configuration/preview. (#4607)
This breaking change shouldn’t impact the majority of people.

New features

Make Lightning NFC built in (#4541) @KukksGreenfield get app details (#4102) @bolatovumarGreenfield: Add store rates api (#4550) @KukksServer Theme: Allow to unset CustomThemeCssUri @dennisreimannStore Branding: Add custom CSS option (#4459, #4527) @dennisreimannStore branding on invoice and receipts, payment requests and pull payments, point of sale and crowdfunding (#3842, #4568) @dennisreimannAdd Greenfield API endpoint for pull payment LNURL items (#4472) @bolatovumarGreenfield: Add lightning payments list endpoint (#4407) @dennisreimannAdd additional permission for pull payments (#4539) @Kukks

Bug fixes

Fix: Mark selected payouts as already paid had an unexpected result (#4579) @KukksFix: Payjoin wasn’t always properly choosing utxo for optimal change (#4600) @NicolasDorierFix: If PoS item code contains a /, LNUrl would not work (#4601, #4602) @NicolasDorierFix: a bunch of open redirect (#4575). Credit to @gonzxph. @NicolasDorierFix: Disqus integration in Crowdfunding store (#4580, #4572) @dennisreimannFix: XSS on uploaded files to the file storage (#4567) Credit to @ctflearner. @NicolasDorierFix: Greenfield currency rate should be strings (#4607) @NicolasDorier

Improvements

If a domain name is mapped to an app, always redirect the ugly /apps/{appId} to it (#4391) @dennisreimannAdd missing CORS to LN Address/LNUrl route (Compatibility with Beach Wallet) (#4587) @NicolasDorierMake plugin able to register rate providers (#4551) @NicolasDorierPoint of Sale: Improve merchant view (#4560) @dennisreimann

Github Repo

Leave a Reply

Your email address will not be published. Required fields are marked *

Generated by Feedzy