Security update, everyone using JoomCCK should update to last version.
Download Extended Version:
https://www.joomcoder.com/joomla-extensions/9-components/24-joomcck
Changes in Free version
- Security - Fixed a critical unauthenticated SQL injection in the front-end
tags.savetask (thetagparameter was concatenated into the query unescaped and reachable with no login/CSRF token); the query is now parameterized - Security - State-changing front-end tasks (tag save/delete, record copy, file removal, and the writing AJAX endpoints) now enforce a CSRF token plus login/ACL checks
- Security - Hardened all remaining model, controller, helper and admin-tool queries against SQL injection (query builder /
$db->quote()/ integer casts) - Security - Fixed an IDOR in the notifications "remove by" action; deletions are now scoped to the current user
- Security - The author-filter AJAX endpoint no longer exposes author email addresses to anonymous visitors
- Fixed - Fatal error ("Invalid controller: name='types'") when deleting a content type from the Types list
Changes in Extended version
- Security - The same SQL-injection hardening and CSRF/authorization fixes applied to the extended fields and the comment/social integrations
Reported by Kamil Soltanov via coordinated disclosure (Joomla Security Strike Team). CVE pending.