Guest Alexander Ebert Posted June 3 Posted June 3 We have just released new versions of our products: WoltLab Suite 6.0.6 WoltLab Suite 5.5.20 Stability releases (third part of the version number, also known as “patch releases”) aim to solve existing problems in the current version. Like every stability release, they do not introduce new features. It is strongly recommended to apply these updates. [HEADING=1]Security Notice[/HEADING] It has been brought to our attention by @SoftCreatR that the user menus of conversations and moderation do not perform escaping. This is a so-called “cross-site scripting” vulnerability that could allow an attacker to execute their own HTML code. A proper fix has been provided as an update for WoltLab Suite 6.0 and 5.5, the version series 5.4 and older are not affected by this bug. Notifications use the same construct but already perform correct escaping and are therefore not vulnerable to this issue. All WoltLab Cloud customer installations have already been updated. [HEADING=1]How to Apply Updates[/HEADING] Open your Administration Control Panel and navigate to “Configuration → Packages → List Packages”. Please click on the button “Search for Updates” located in the right corner above the package list. [HEADING=1]Notable Changes[/HEADING] The list below includes only significant changes, minor fixes or typos are generally left out. [HEADING=2]WoltLab Suite Core: Conversations[/HEADING] SECURITY The title of conversations in the user menu allowed the injection of HTML code. 5.5 6.0 [HEADING=2]WoltLab Suite Core[/HEADING] SECURITY The title of entries in the moderation in the user menu allowed the injection of HTML code. 5.5 6.0 Continue reading... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.