X2Josef 8 Posted October 4, 2018 Report Share Posted October 4, 2018 It has been brought to our attention that three vulnerabilities were found in our app. Please take the chance to look over the following fixes for these vulnerabilities and apply them to your installations. These fixes will also be included in our next version. Fixes: Exception handling for invalid input to prevent SQL injection from the ActionHistoryChartWidget Permission check for Arbitrary file download via the global export in the admin control panel and when exporting themes Field purification when processing requests to prevent cross-site scripting (XSS)Files:https://github.com/X2Engine/X2CRM/blob/5ecb32881dede41b9b41847d36d15e41ba08c44e/x2engine/protected/components/X2WebApplication.phphttps://github.com/X2Engine/X2CRM/blob/5ecb32881dede41b9b41847d36d15e41ba08c44e/x2engine/protected/components/sortableWidget/recordViewWidgets/ActionHistoryChartWidget.phphttps://github.com/X2Engine/X2CRM/blob/5ecb32881dede41b9b41847d36d15e41ba08c44e/x2engine/protected/controllers/AdminController.phphttps://github.com/X2Engine/X2CRM/blob/5ecb32881dede41b9b41847d36d15e41ba08c44e/x2engine/protected/controllers/ProfileController.phpPull Request:https://github.com/X2Engine/X2CRM/pull/160 Make sure to take backups before applying any of these changes of course! Thank you to SYSDREAM for bringing these vulnerabilities to our attention 3 Link to post Share on other sites
Recommended Posts