Join the Mailing List
Download ImpressCMS 1.3.7 and 1.2.9 (LTS) Releases NowPublished by Skenow on 2014/6/25 (4041 reads)
One of the top tenets of ImpressCMS is to be a secure platform for your websites. In response to a recent CVE report, additional validation and sanitation of user has been implemented in the 1.2 and 1.3 releases. Once again, we were aided by Pedro Ribeiro of Agile Information Security Ltd. in testing the patches for this issue.
If you ever discover a vulnerability or are uncertain about the security of ImpressCMS, please use our Security Issue Report form to let us know.
Download ImpressCMS 1.3.7 and 1.2.9 LTS (Long Term Support)
The new 1.3 release is available for download on the ImpressCMS 1.3 product page.
We continue to provide support for the 1.2 series of ImpressCMS. Once ImpressCMS 2.0 Final is released, the 1.2 support will be discontinued. The update for 1.2 (our Long Term Support version) is available on the ImpressCMS 1.2 product page
What is the risk?
Users with sufficient access to the core image manager could employ cross site scripting attacks on a site, or could be manipulated to deploy the attacks. Most attacks, like this one, are successful only if the Protector module is deactivated and HTML Purifier is disabled.
What has changed?
Additional filtering and validation of the search terms for images has been added, along with proper encoding of the output. The 1.3.7 release also contains some minor fixes for PDO (PHP Database Object) support and a missing language constant. The preferences page in the control panel now has its own stylesheet class.
In addition to applying the patch, you should review your group policies to be sure members of your site only have the access they need for their role.
Want to get involved?
If you're looking to join the ImpressCMS project, then get on board! All you need to do is head on over and complete the ImpressCMS Team form.
We'd love to connect with you ...