ubccr · aaronweeden · May 15, 2026 · Oct 23, 2025 · Oct 30, 2025 · Mar 31, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,30 @@
 # Open XDMoD Change Log
 
+## 2026-05-12 v11.0.3
+
+- Important Notes
+    - This release fixes a critical security vulnerability and two other
+      moderate-to-high severity security vulnerabilities in Open XDMoD:
+        - https://github.com/ubccr/xdmod/security/advisories/GHSA-29qm-7w4v-43fw
+        - https://github.com/ubccr/xdmod/security/advisories/GHSA-3pv7-qvc3-h527
+        - https://github.com/ubccr/xdmod/security/advisories/GHSA-3hfh-m242-8rmh
+- Bug Fixes
+    - Fix bug in which the server runs out of memory when exporting data
+      ([\#2085](https://github.com/ubccr/xdmod/pull/2085)).
+    - Fix tooltip display when hovering over area plots
+      ([\#2077](https://github.com/ubccr/xdmod/pull/2077)).
+    - Fix charting export ([\#2192](https://github.com/ubccr/xdmod/pull/2192)).
+    - Fix username validation
+      ([\#2194](https://github.com/ubccr/xdmod/pull/2194)).
+- Enhancements
+    - Improve performance of database queries
+      ([\#2182](https://github.com/ubccr/xdmod/pull/2182)).
+- Documentation
+    - Update list of publications and presentations
+      ([\#2081](https://github.com/ubccr/xdmod/pull/2081)).
+- Maintenance / Code Quality
+    - Remove unused code ([\#2188](https://github.com/ubccr/xdmod/pull/2188)).
+
 ## 2025-08-19 v11.0.2
 
 - New Features
@@ -214,6 +239,10 @@
         - A new endpoint for retrieving raw data has been added.
 
 ## 2023-08-04 v10.0.3
+
+- Important Notes
+    - This release fixes a critical security vulnerability in Open XDMoD:
+        - https://github.com/ubccr/xdmod/security/advisories/GHSA-r33r-6g3c-r992
 - Bug Fixes
     - General
         - Fix handling of filters where the filter string has a quote character in it (#1749)

diff --git a/bin/xdmod-upgrade b/bin/xdmod-upgrade
@@ -28,7 +28,8 @@ ini_set('memory_limit', -1);
 $supportedUpgrades = array(
     '11.0.0' => '11.0.1',
     '11.0.1' => '11.0.2',
-    '11.0.2' => '11.5.0'
+    '11.0.2' => '11.0.3',
+    '11.0.3' => '11.5.0'
 );
 
 /**

diff --git a/classes/OpenXdmod/Migration/Version1102To1103/ConfigFilesMigration.php b/classes/OpenXdmod/Migration/Version1102To1103/ConfigFilesMigration.php
@@ -0,0 +1,23 @@
+<?php
+/**
+ * Update config files from version 11.0.2 to 11.0.3
+ */
+
+namespace OpenXdmod\Migration\Version1102To1103;
+
+use OpenXdmod\Migration\ConfigFilesMigration as AbstractConfigFilesMigration;
+
+class ConfigFilesMigration extends AbstractConfigFilesMigration
+{
+
+    /**
+     * Update portal_settings.ini with the new version number.
+     */
+    public function execute()
+    {
+        $this->assertPortalSettingsIsWritable();
+        $this->assertModulePortalSettingsAreWritable();
+        $this->writePortalSettingsFile();
+        $this->writeModulePortalSettingsFiles();
+    }
+}
diff --git a/...ersion1102To1150/ConfigFilesMigration.php → ...ersion1103To1150/ConfigFilesMigration.php b/...ersion1102To1150/ConfigFilesMigration.php → ...ersion1103To1150/ConfigFilesMigration.php
@@ -1,9 +1,9 @@
 <?php
 /**
- * Update config files from version 11.0.2 to 11.5.0
+ * Update config files from version 11.0.3 to 11.5.0
  */
 
-namespace OpenXdmod\Migration\Version1102To1150;
+namespace OpenXdmod\Migration\Version1103To1150;
 
 use OpenXdmod\Migration\ConfigFilesMigration as AbstractConfigFilesMigration;
 use CCR\Json;

diff --git a/.../Version1102To1150/DatabasesMigration.php → .../Version1103To1150/DatabasesMigration.php b/.../Version1102To1150/DatabasesMigration.php → .../Version1103To1150/DatabasesMigration.php
@@ -1,9 +1,9 @@
 <?php
 /**
- * Update database from version 11.0.2 to 11.5.0
+ * Update database from version 11.0.3 to 11.5.0
  */
 
-namespace OpenXdmod\Migration\Version1102To1150;
+namespace OpenXdmod\Migration\Version1103To1150;
 
 use OpenXdmod\Migration\DatabasesMigration as AbstractDatabasesMigration;
 use OpenXdmod\Shared\DatabaseHelper;
@@ -37,15 +37,15 @@ public function execute()
 
         if ($mysql_helper->tableExists('modw.storagefact')) {
             Utilities::runEtlPipeline(
-                ['storage-migration-11_0_2-11_5_0', 'xdw-aggregate-storage'],
+                ['storage-migration-11_0_3-11_5_0', 'xdw-aggregate-storage'],
                 $this->logger,
                 ['last-modified-start-date' => '2017-01-01 00:00:00']
             );
         }
 
         if ($mysql_helper->tableExists('modw_cloud.event')) {
             Utilities::runEtlPipeline(
-                ['cloud-migration_11-0-2_11-5-0', 'cloud-state-pipeline'],
+                ['cloud-migration_11-0-3_11-5-0', 'cloud-state-pipeline'],
                 $this->logger,
                 ['last-modified-start-date' => '2017-01-01 00:00:00']
             );

diff --git a/.../etl.d/xdmod-migration-11_0_2-11_5_0.json → .../etl.d/xdmod-migration-11_0_3-11_5_0.json b/.../etl.d/xdmod-migration-11_0_2-11_5_0.json → .../etl.d/xdmod-migration-11_0_3-11_5_0.json
@@ -1,7 +1,7 @@
 {
     "module": "xdmod",
     "defaults": {
-        "migration-11_0_2-11_5_0": {
+        "migration-11_0_3-11_5_0": {
             "namespace": "ETL\\Ingestor",
             "options_class": "IngestorOptions",
             "class": "DatabaseIngestor",
@@ -20,7 +20,7 @@
                 }
             }
         },
-        "cloud-migration_11-0-2_11-5-0": {
+        "cloud-migration_11-0-3_11-5-0": {
             "namespace": "ETL\\Ingestor",
             "options_class": "IngestorOptions",
             "class": "DatabaseIngestor",
@@ -39,7 +39,7 @@
                 }
             }
         },
-        "storage-migration-11_0_2-11_5_0": {
+        "storage-migration-11_0_3-11_5_0": {
             "namespace": "ETL\\Maintenance",
             "options_class": "MaintenanceOptions",
             "class": "ExecuteSql",
@@ -59,7 +59,7 @@
             }
         }
     },
-    "migration-11_0_2-11_5_0": [
+    "migration-11_0_3-11_5_0": [
         {
             "name": "update-reports",
             "description": "Update report tables to remove duplicate rows",
@@ -442,7 +442,7 @@
             }
         }
     ],
-    "storage-migration-11_0_2-11_5_0": [
+    "storage-migration-11_0_3-11_5_0": [
         {
             "name": "manageStorageTables",
             "description": "Changes to storage tables",
@@ -460,7 +460,7 @@
             ]
         }
     ],
-    "cloud-migration_11-0-2_11-5-0": [
+    "cloud-migration_11-0-3_11-5-0": [
         {
             "name": "cloud-add-disk-gb-to-instance-data",
             "description": "Add disk_gb column to modw_cloud.instance_data",

diff --git a/html/about/release_notes/xdmod.html b/html/about/release_notes/xdmod.html
@@ -2,6 +2,32 @@ <h1>Open XDMoD Release Notes</h1>
 
 <p>Below is a list of Open XDMoD releases with major features and bug fixes listed.</p>
 
+<h2 id="2026-05-12-v11-0-3">2026-05-12 v11.0.3</h2>
+<ul>
+    <li><p>Important Notes</p><ul>
+        <li>This release fixes a critical security vulnerability and two other
+            moderate-to-high severity security vulnerabilities in Open
+            XDMoD:<ul>
+            <li><a href="https://github.com/ubccr/xdmod/security/advisories/GHSA-29qm-7w4v-43fw" target="_blank" rel="noopener noreferrer">https://github.com/ubccr/xdmod/security/advisories/GHSA-29qm-7w4v-43fw</a></li>
+            <li><a href="https://github.com/ubccr/xdmod/security/advisories/GHSA-3pv7-qvc3-h527" target="_blank" rel="noopener noreferrer">https://github.com/ubccr/xdmod/security/advisories/GHSA-3pv7-qvc3-h527</a></li>
+            <li><a href="https://github.com/ubccr/xdmod/security/advisories/GHSA-3hfh-m242-8rmh" target="_blank" rel="noopener noreferrer">https://github.com/ubccr/xdmod/security/advisories/GHSA-3hfh-m242-8rmh</a></li>
+        </ul></li>
+    </ul></li>
+    <li><p>Bug Fixes</p><ul>
+        <li>Fix bug in which the server runs out of memory when exporting
+            data.</li>
+        <li>Fix tooltip display when hovering over area plots.</li>
+        <li>Fix charting export.</li>
+        <li>Fix username validation.</li>
+    </ul></li>
+    <li><p>Enhancements</p><ul>
+        <li>Improve performance of database queries.</li>
+    </ul></li>
+    <li><p>Documentation</p><ul>
+        <li>Update list of publications and presentations.</li>
+    </ul></li>
+</ul>
+
 <h2 id="2025-08-19-v11-0-2">2025-08-19 v11.0.2</h2>
 <ul>
     <li><p>New Features</p><ul>
@@ -395,6 +421,12 @@ <h2 id="2023-09-11-v10-5-0">2023-09-11 v10.5.0</h2>
 </ul>
 <h2 id="2023-08-04-v10-0-3">2023-08-04 v10.0.3</h2>
 <ul>
+    <li><p>Important Notes</p><ul>
+        <li>This release fixes a critical security vulnerability in Open
+            XDMoD:<ul>
+            <li><a href="https://github.com/ubccr/xdmod/security/advisories/GHSA-r33r-6g3c-r992" target="_blank" rel="noopener noreferrer">https://github.com/ubccr/xdmod/security/advisories/GHSA-r33r-6g3c-r992</a></li>
+        </ul></li>
+    </ul></li>
     <li>Bug Fixes<ul>
         <li>General<ul>
             <li>Fix handling of filters where the filter string has a quote character in it (#1749)</li>

diff --git a/html/controllers/sab_user.php b/html/controllers/sab_user.php
@@ -4,19 +4,15 @@
  *
  * operation: params -----
  *     enum_tg_users: start, limit, [query], pi_only
- *     assign_assumed_person: person_id
- *     get_mapping: use_default
  */
 
 require_once __DIR__ . '/../../configuration/linker.php';
 
 \xd_security\start_session();
 
-$controller = new XDController(array(STATUS_LOGGED_IN));
+$controller = new XDController(array(STATUS_LOGGED_IN, STATUS_MANAGER_ROLE));
 
 $controller->registerOperation('enum_tg_users');
-$controller->registerOperation('assign_assumed_person');
-$controller->registerOperation('get_mapping');
 
 $session_variable
     = (isset($_POST['dashboard_mode']))

diff --git a/html/controllers/sab_user/assign_assumed_person.php b/html/controllers/sab_user/assign_assumed_person.php
diff --git a/html/controllers/sab_user/get_mapping.php b/html/controllers/sab_user/get_mapping.php
diff --git a/html/password_reset.php b/html/password_reset.php
@@ -75,7 +75,7 @@
 
 		}//if (INVALID)
 
-      $first_name = $validationCheck['user_first_name'];
+      $first_name = htmlspecialchars($validationCheck['user_first_name'], ENT_QUOTES, 'UTF-8');
 
       $mode = ( isset($_GET['mode']) && ($_GET['mode'] == 'new') ) ? 'create' : 'reset';
 

diff --git a/libraries/charting.php b/libraries/charting.php
@@ -145,17 +145,17 @@ function getSvgViaChromiumHelper($html, $width, $height){
  */
 
 function convertSvg($svgData, $format, $width, $height, $docmeta){
-    $author = isset($docmeta['author']) ? addcslashes($docmeta['author'], "()\n\\") : 'XDMoD';
-    $subject = isset($docmeta['subject']) ? addcslashes($docmeta['subject'], "()\n\\") : 'XDMoD chart';
-    $title = isset($docmeta['title']) ? addcslashes($docmeta['title'], "()\n\\") :'XDMoD PDF chart export';
-    $creator = addcslashes('XDMoD ' . OPEN_XDMOD_VERSION, "()\n\\");
+    $author = isset($docmeta['author']) ? escapeshellarg($docmeta['author']) : "'XDMoD'";
+    $subject = isset($docmeta['subject']) ? escapeshellarg($docmeta['subject']) : "'XDMoD chart'";
+    $title = isset($docmeta['title']) ? escapeshellarg($docmeta['title']) : "'XDMoD PDF chart export'";
+    $creator = escapeshellarg('XDMoD ' . OPEN_XDMOD_VERSION);
 
     switch($format){
         case 'png':
-            $exifArgs = "-Title='$title' -Author='$author' -Description='$subject' -Source='$creator'";
+            $exifArgs = "-Title=$title -Author=$author -Description=$subject -Source=$creator";
             break;
         case 'pdf':
-            $exifArgs = "-Title='$title' -Author='$author' -Subject='$subject' -Creator='$creator'";
+            $exifArgs = "-Title=$title -Author=$author -Subject=$subject -Creator=$creator";
             break;
         default:
             return $svgData;

diff --git a/open_xdmod/modules/xdmod/xdmod.spec.in b/open_xdmod/modules/xdmod/xdmod.spec.in
@@ -97,6 +97,8 @@ rm -rf $RPM_BUILD_ROOT
 %dir %attr(0570,apache,xdmod) %{xdmod_export_dir}
 
 %changelog
+* Tue May 12 2026 XDMoD <ccr-xdmod-list@listserv.buffalo.edu> 11.0.3-2
+- Release 11.0.3
 * Tue Aug 19 2025 XDMoD <ccr-xdmod-list@listserv.buffalo.edu> 11.0.2-3
 - Release 11.0.2
 * Mon Mar 17 2025 XDMoD <ccr-xdmod-list@listserv.buffalo.edu> 11.0.1-1