Zenario 9.2.57473

This release contains a critical security patch for file uploads in User Forms, anyone
using Zenario 9.2 should update as soon as possible.

Critical security patch

This security update fixes a remote code execution vulnerability in Zenario's User Form
module.

If you had file uploads enabled in a contact form or other user form, it was previously
possible for an attacker to exploit a remote code execution vulnerability.

This update patches this. We recommend everyone update their copy of Zenario as soon as
possible.

Other security updates

This update also patches a couple of minor security vulnerabilities in admin mode.

There was a small hole in our SVG sanitiser script, which mean it was still possible to
create a SVG with a XSS attack hidden inside and upload it, where we accepted SVG uploads.

We've also fixed a small issue where the administrator's name was not being HTML escaped
on the diagnostics screen.

Both of these issues are not considered critical as someone would already need
administrator access before they could exploit them.

Miscellaneous

Some fixes for PHP errors in PHP 8.0 have been patched back into this version of Zenario.
However we would still recommend running the most recent version of Zenario if you need
support for PHP 8.