Implemented Vulnerability in user website field

Status
Not open for further replies.

Rodolfo

Chevereto Developer
Chevereto Staff
It has been reported that there is a vulnerability affecting all Chevereto releases. To fix this, download the last release and replace both app/lib/ and app/themes/

For those who have changed the theme, the conflicting field can be found under get_user()["website"]. So the manual procedure is to update app/lib/ and then simply do the following:

Replace all these:
PHP:
get_user()["website"]
With this:
PHP:
get_user()["website_safe_html"]
The download (v3.7.3) has been already patched at this time. If you download again it will contain this fix.

Cheers,
Rodolfo.

P.S. Thanks to Nick Burnett for reporting this.
 
Last edited:

lovedigit

Core license
License owner
Why not release 3.7.4 with these patches so that those who already upgraded to v3.7.3 could be automatically notified?
 

Rodolfo

Chevereto Developer
Chevereto Staff
There are some other bugs I'm working on for v3.7.4 and for sure I will include this one.

Thanks.
 

SirMoo

Founder license
Beta tester
Can we request that future security updates come as a secondary point version to force updates in the admin? Such as this would be 3.7.3.2 or something to the effect of 3.7.3 R2 ( though I'm not sure how the system would work with letters).
 
Status
Not open for further replies.
Top