Join the Mailing List
Upgrade now to ImpressCMS 1.2.4 Security ReleasePublished by Fiammybe on 2010/12/15 (6169 reads)
The ImpressCMS Project announces an important update to the 1.2.x series, addressing 2 vulnerabilities recently discovered.
The first issue was with the imagemanager plugin for TinyMCE, allowing unauthorized creation of image categories. The second is a potential cross site scripting vulnerability in the quicksearch functionality of the ImpressCMS Persistable Framework. This vulnerability required elevated permissions and was only present in the administration area.
This issue has now been fixed in version 1.2.4. The ImpressCMS team urges everyone to upgrade their ImpressCMS installation as soon as possible.
Our thanks to sato-san of the German community, who reported the first vulnerability. We also will mention the organization that reported the 2nd vulnerability to us only this morning - High-Tech Bridge. We do appreciate the notification, but were assured the report would not go public until we had the opportunity to review it. Within just a few hours, however, the reports were flying around on Twitter and on several other security sites. Sadly, none of them had the complete information about the vulnerability and much mis-information was distributed.
If you discover a questionable behavior in ImpressCMS or a potential security weakness, please contact us and allow us to address it immediately, which we will. To notfiy our security team, send a detailed email to firstname.lastname@example.org and we will respond to your report and provide a verification and fix, if warranted.
To download ImpressCMS 1.2.4, visit -
To patch your ImpressCMS 1.2.3 site, visit