From 23c9edd5a4c84147944a9ad44edb789440e208f3 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Thu, 1 Apr 2021 07:42:07 +0200
Subject: [PATCH 1/2] check if $this->extraheader['favicon'] has a value

---
 views/bootstrap/class.Bootstrap.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index 5cb3e5a4b..f15895e83 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -120,7 +120,7 @@ class SeedDMS_Bootstrap_Style extends SeedDMS_View_Common {
 		echo '<script type="text/javascript" src="../views/'.$this->theme.'/vendors/noty/themes/default.js"></script>'."\n";
 		echo '<script type="text/javascript" src="../styles/'.$this->theme.'/jqtree/tree.jquery.js"></script>'."\n";
 //		echo '<script type="text/javascript" src="../styles/'.$this->theme.'/jquery-cookie/jquery.cookie.js"></script>'."\n";
-		if($this->extraheader['favicon'])
+		if(!empty($this->extraheader['favicon']))
 			echo $this->extraheader['favicon'];
 		else {
 			echo '<link rel="icon" href="../views/'.$this->theme.'/images/favicon.svg" type="image/svg+xml"/>'."\n";

From 34b1574cc16b771f2faaf432c960e2290af679cd Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Mon, 5 Apr 2021 10:23:58 +0200
Subject: [PATCH 2/2] add CVE for fixed csrf attacks

---
 CHANGELOG | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG b/CHANGELOG
index 128e709d8..2048d786b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@
 - fix potential clickjacking attack with manipulated email address of a user
 - loading more items on ViewFolder page obeys sort order
 - fix possible csrf attacks due to missing form token
+  (CVE-2021–26215, CVE-2021–26216)
 - show an error msg on the documents detail page if the checksum of version
   mismatch
 - overhaul notifications, type of receiver is now passed to notification