A security review was done by a team of Micromata, Germany. Many thanks to Sergej Michel and Peter Baus (great job)!

1. Security release: Please update as soon as is practicable! Some vulnerabilities were discovered (a logged-in-user is always required):
2. Security: Cross-Site-Request-Forgery (CSRF): an attacker may send manipulated html-pages to a logged-in-user.
3. Security: XSS of JSON-Strings in autocompletion form: an attacker must be a logged-in-user for manipulating autocompletion strings in the data-base.
4. Security: Salt and pepper for passwords: an attacker with access to a data-base dump or SHA256 hashed passwords of ProjectForge user's may compromise weak passwords by brute-force attacks or with a rainbow-tables.
5. Security: Improved mechanism for avoiding brute-force-attacks on user/password combinations (by username as well as by IP), rest-calls are now included.
6. Improved LDAP-support (for ProjectForge as LDAP-master).
7. Some minor bugfixes and features are included, as well.