This is a security release that patches one critical and several low-impact vulnerabilities that affected BTCPay Server versions and older. The critical vulnerability (CVE-2021-29251) impacts users who: - Use Docker Deployment, have a configured email server and enabled registration for users in Server Settings > Policies We strongly recommend affected users to update their instances to mitigate the risk. We will release a full public disclosure of vulnerabilities with the next major version of the BTCPay Server. We want to thank @teslamotors for filing a responsible disclosure, helping us with remediation, and handling the situation professionally. We also want to thank Qaiser Abbas, an independent web-security researcher, for an additional responsible vulnerability disclosure that was handled in this release. Thank you for keeping our users safe. ### Improvements: * Add user email search/sort @bolatovumar * Fix pay button link preview (see #2396) @bumbummen99 * Change display date format on view pull payments (see #2339) @AlexGidge * Update form required input styling (see #2373) @bolatovumar * Order file uploaded list by descending timestamp (#2273) @bolatovumar * Remove misleading title from hint icon @dennisreimann * Make dates/timespan swagger docs more clear (#2399) @Kukks * Add rate limiter for forgotpassword @NicolasDorier * Upgrade Boostrap to v4.6 and jquery to 3.6.0 @dennisreimann * Use better PRNG for payjoin input selection @NicolasDorier * Decrease authentication cookie timeout after password change from 30min to 5min @NicolasDorier * Use secure/http-only cookies for preferences @NicolasDorier ### Bug fixes: * Ensure submitting empty currency does not break update PoS page (#2376) @bolatovumar * Fix point of sale item newline break (#2366) @Kukks * Validate filename in file upload endpoints @NicolasDorier * Turn off autocomplete for BIP39 Seed or HD private key inputs @nosovk * Fix payment request template body/page height and footer style @Patrick