Make a Lasting Impression
News and Articles > ImpressCMS Community News > ImpressCMS Security Announcements > Upgrade now to ImpressCMS 1.2.4 Security Release

Upgrade now to ImpressCMS 1.2.4 Security Release

Published by Fiammybe on 2010/12/15 (6416 reads)
Upgrade now to ImpressCMS 1.2.4 Security Release

The ImpressCMS Project announces an important update to the 1.2.x series, addressing 2 vulnerabilities recently discovered.

The first issue was with the imagemanager plugin for TinyMCE, allowing unauthorized creation of image categories. The second is a potential cross site scripting vulnerability in the quicksearch functionality of the ImpressCMS Persistable Framework. This vulnerability required elevated permissions and was only present in the administration area.

This issue has now been fixed in version 1.2.4. The ImpressCMS team urges everyone to upgrade their ImpressCMS installation as soon as possible.

Our thanks to sato-san of the German community, who reported the first vulnerability. We also will mention the organization that reported the 2nd vulnerability to us only this morning - High-Tech Bridge. We do appreciate the notification, but were assured the report would not go public until we had the opportunity to review it. Within just a few hours, however, the reports were flying around on Twitter and on several other security sites. Sadly, none of them had the complete information about the vulnerability and much mis-information was distributed.

If you discover a questionable behavior in ImpressCMS or a potential security weakness, please contact us and allow us to address it immediately, which we will. To notfiy our security team, send a detailed email to and we will respond to your report and provide a verification and fix, if warranted.

To download ImpressCMS 1.2.4, visit -

To patch your ImpressCMS 1.2.3 site, visit

Navigate through the articles
Previous article Security Vulnerability in FCKeditor Security Vulnerability Reported in CSSTidy Next article
The comments are owned by the poster. We aren't responsible for their content.
Poster Thread