• twitter image
  • facebook image
  • youtube image
  • linkedin image
  • RSS
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Spain CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple, Belgium - the Netherlands

Announcing CMSMS 2.2.1 "Hearts Desire"

Category:Releases General 

16. 06. 2017 by mr101010

CRITICAL SECURITY RELEASE

Hello people.

Today we announce the release of CMS Made Simple version 2.2.1 "Hearts Desire". Not only does this release fix a few important issues detected with the 2.2 release, but it addresses a CRITICAL security issue that was detected for all 2.x releases. We request that you upgrade your CMSMS installations as soon as possible.

Specifically:

  1. Fixed an issue where a compiled string template could be provided to many modules that directly execute PHP code without going through the Smarty security policy.
  2. debug_to_log() is no longer a permitted php function to call within templates.
  3. Fixed an issue where MicroTiny failed to initialize.
  4. Fixed an issue in the database abstraction library when using nested transactions.
  5. Fixed an issue with the smarty plugin loading mechanism for plugins that use the smarty_cms_function_foo naming standard.
  6. After an upgrade, ensure that the config.php has read-only permissions.
  7. On upgrade, move all remaining plugins (should only be third party plugins) from /plugins to /assets/plugins.

Again, we consider the security vulnerabilities to be CRITICAL and request that you upgrade your sites as soon as possible.

Many thanks to Daniel Le Gall from SCRT SA, Switzerland for reporting this vulnerability. His skills and professionalism certainly assisted in our understanding, reproducing and resolving the vulnerability quickly and easily.

We apologize for the inconvenience and thank you for your cooperation.


© Copyright 2017 by CMSMS™ and the posts author(s). All rights reserved.


comments powered by Disqus

A2 Hosting